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Abstract 

Reachability and LTL model-checking problems for flat counter systems are 
known to be decidable but whereas the reachability problem can be shown 
in NP, the best known complexity upper bound for the latter problem is 
made of a tower of several exponentials. Herein, we show that the problem is 
only NP-complete even if LTL admits past-time operators and arithmetical 
constraints on counters. For instance, adding past-time operators to LTL 
immediately leads to complications; an NP upper bound cannot be deduced 
by translating formulae into Biichi automata. Actually, the NP upper bound 
is shown by adequately combining a new stuttering theorem for Past LTL and 
the property of small integer solutions for quantifier-free Presburger formulae. 
Other complexity results are proved, for instance for restricted classes of 
flat counter systems such as path schemas. Our NP upper bound extends 
known and recent results on model-checking weak Kripke structures with 
LTL formulae as well as reachability problems for flat counter systems. 
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1. Introduction 



Flat counter systems. Counter systems are finite-state automata equipped 
with program variables (counters) interpreted over non-negative integers. 
They are used in many places like, broadcast protocols jll| and programs 
with pointers 14j] to quote a few examples. But, alongwith their large scope 
of usability, many problems on general counter systems are known to be 



undecidable [27] . Indeed, this computational model can simulate Turing ma- 
chines. This is not the end of the story since decidability of reachability 
problems or model-checking problems based on temporal logics, can be re- 
gained by considering subclasses of counter systems (this includes restrictions 
on the instructions, on the control graphs or on more semantical properties). 
An important and natural class of counter systems, in which various prac- 
tical cases of infinite-state systems (e.g. broadcast protocols jl3|) can be 
modelled, are those with a flat control graph, i.e, those where no control 
state occurs in more than one simple cycle, see e.g. 

BHHHB- Decid- 
ability results on verifying safety and reachability properties on flat counter 
systems have been obtained in 0, Gil S|- However, so far, such properties 
have been rarely considered in the framework of any formal specification lan- 
guage (see an exception in (6|). In a class of Presburger counter systems is 
identified for which the local model checking problem for Presburger-CTL* is 
shown decidable. These are Presburger counter systems defined over flat con- 
trol graphs with arcs labelled by adequate Presburger formulae (representing 
constraints on counters) . Even though flatness is clearly a substantial restric- 
tion, it is shown in (24| that many classes of counter systems with computable 
Presburger-definable reachability sets are flattable, i.e. there exists a flat un- 
folding of the counter system with identical reachability sets. Hence, the 
possibility of flattening a counter system is strongly related to semilinearity 
of its reachability set. Moreover, in [6] model-checking relational counter sys- 
tems over LTL formulae is shown decidable when restricted to flat formulae 
(their translation into automata leads to flat structures). 

Towards the complexity of temporal model- checking flat counter systems. In Q, 
it is shown that CTL* model-checking over the class of so-called admissible 
counter systems is decidable by reduction into the satisfiability problem for 
Presburger arithmetic, the decidable first-order theory of natural numbers 
with addition. Obviously CTL* properties are more expressive than reacha- 
bility properties but this has a cost. However, for the class of counter systems 
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considered in this paper, this provides a very rough complexity upper bound 
in 4EXPTIME. Herein, our goal is to revisit standard decidability results 
for subclasses of counter systems obtained by translation into Presburger 
arithmetic in order to obtain optimal complexity upper bounds. Indeed, ef- 
fectively composing the translation of a verification problem into Presburger 
arithmetic (PrA) and then using a solver for (PrA) is not necessarily optimal 
computationally. 

Our contributions. In this paper, we establish several computational com- 
plexity characterizations of model-checking problems restricted to flat counter 
systems in the presence of a rich LTL-like specification language with arith- 
metical constraints and past-time operators. Not only we provide an optimal 
complexity but also, we believe that our proof technique could be reused for 
further extensions. Indeed, we combine three proof techniques: the general 
stuttering, theorem |2l| . the property of small integer solutions of equation 



systems |3j (this latter technique is used since [29l . Il7| ) and the elimination 
of disjunctions in guards (see Section [6]). Let us be a bit more precise. 
We extend the general stuttering principle established in [21] for LTL (with- 
out past-time operators) to Past LTL. However, since this principle will be 
applied to path schemas, a fundamental structure in flat counter systems, 
we do not aim at being optimal as soon as it will be helpful to establish 
the NP upper bounds. A path schema is simply a finite alternation of path 
segments and simple loops (no repetition of edges) and the principle states 
that satisfaction of an LTL formula requires only to take loops a number 
of times that is linear in the temporal depth of the formula. This princi- 
ple has been already used to establish that LTL mo del- checking over weak 
Kripke structures is in NP (2~o| (weakness corresponds to flatness). It is 
worth noting that another way to show a similar result would be to eliminate 
past-time operators thanks to Gabbay's Separation Theorem jl5| (preserv- 
ing initial equivalence) but the temporal depth of formulae might increase 
at least exponentially, which is a crucial parameter in our complexity anal- 
ysis. We show that the model-checking problem restricted to flat counter 
systems in the presence of LTL with past-time operators is in NP (Theo- 
rem I7.4p by combining the above-mentioned proof techniques (we call this 
problem MC(PLTL[C], CJ-S)). Apart from the use of the general stuttering 
theorem (Theorem 13. ip , we take advantage of the other properties stated for 
instance in Lemma (characterization of runs by quantifier- free Presburger 
formulae) and Theorem 16.111 (elimination of disjunctions in guards preserv- 
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ing flatness). Note that the loops in runs are visited a number of times that 
can be exponential in the worst case, but this does not prevent us from es- 
tablishing the NP upper bound. We also take advantage of the fact that 



model-checking ultimately periodic models with Past LTL is in PTlME 22 1 



but our main decision procedure is not automata-based, unlike the approach 



from |31fl- In the paper, complexity results for fragments/subproblems are 
also considered. For instance, we get a sharp lower bound since we establish 
that the model-checking problem on path schemas with only 2 loops is al- 
ready NP-hard (see Lemma [4.9p . A summary table of results can be found 
in Section [BJ 



2. Flat Counter Systems and its LTL Dialect 

We write N [resp. Z] to denote the set of natural numbers [resp. integers] 
and to denote {k G Z : i < k and k < j}. For v G Z n , v[i] denotes the 
jth e i emen t Q f v f or every % G [1, n]. For some n-ary tuple t, we write iij{t) to 
denote the j th element of t {j < n). In the sequel, integers are encoded with a 
binary representation. For a finite alphabet E, E* represents the set of finite 
words over E, E + the set of finite non-empty words over E and E w the set of 
w-words over E. For a finite word w = a\ . . . at over E, we write len(u>) to 
denote its length k. For < i < len(^), w(i) represents the (i + l)-th letter 
of the word, here eij+i. 

2.1. Counter Systems 

Counter constraints are defined below as a subclass of Presburger for- 
mulae whose free variables are understood as counters. Such constraints 
are used to define guards in counter systems but also to define arithmetical 
constraints in temporal formulae. Let C = {xi,X2,...} be a countably in- 
finite set of counters (variables interpreted over non-negative integers) and 
AT = {p\ ) p2i • • •} be a countable infinite set of propositional variables (ab- 
stract properties about program points). We write C n to denote the restric- 
tion of C to {xi, x 2 , . . . , x n }. 

Definition 2.1 (Guards). The setG(C n ) of guards (arithmetical constraints 
on counters in C n ) is defined inductively as follows: 

t ::= a.x | t + 1 

g "= t ~ b | gAg | g Vg 

where x G C n , a G Z, b G N and ~G {=, <, >, <, >}. 
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Note that such guards are closed under negations (but negation is not a 
logical connective) and the truth constants T and _L can be easily defined 
too. Given g G G(C n ) and a vector v G N n , we say that v satisfies g, written 
v |= g, if the formula obtained by replacing each Xj by v[i] holds. 

Definition 2.2 (Counter system). For a natural number n > 1, a n-dim 
counter system (shortly a counter system) S is a tuple (Q,C n , A, 1) where: 

• Q is a finite set of control states. 

• 1 : Q — > 2 AT is a labelling function. 

• A C Q x G(C n ) x Z n x Q is a finite set of edges labeled by guards and 
updates of the counter values (transitions/ 

For 5 = (q, g, u, q') in A, we use the following notations: 

• source(S) = q, 

• target (5) = q', 

• guarded) = g, 

• update(S) = u. 

As usual, to a counter system S = (Q, C n , A, 1), we associate a labeled tran- 
sition system TS(S) = (C, — >) where C = Q x N n is the set of configurations 
and — >C C x A x C is the transition relation defined by : ((q, v), 8, (q', v')) G— > 

(also written (q,v) A (q',v')) iff the conditions below are satisfied: 

• q = source(5) and q' = target(S), 

• v |= guard(5) and v' = v + update(S). 

Note that in such a transition system, the counter values are non-negative 
since C = Q x N n . We extend the transition relation — > to finite words 
of transitions in A + as follows. For each w = 5i5 2 ■ ■ ■ d~ a G A + , we have 

(q, v) (q', V) if there are c ,Ci, . . . , c Q+ i G C such that Cj c i+1 for all 
i G [0, a], c = (g, v) and c a+ i = (q',V). We say that an w-word io G A w is 
fireable in S 1 from a configuration Co G Q x N n if for all finite prefixes w' of w 

there exists a configuration c G Q x N n such that Co c. We write lab(co) 
to denote the set of a;- words (labels) which are fireable from c in 5'. 
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Given an initial configuration cq G Q X N n , a run p starting from cq in S 
is an infinite path in the associated transition system TS(S) denoted as: 

<5o 8a — 1 5 a 

P ■= c — > ■ ■ ■ > C a — > ■ ■ ■ 

where q G Q x N n and q G A for all % G N. Let lab(p) be the w-word <5q^i • • • 
associated to the run p. Note that by definition we have lab(p) G lab(co). 
When E is an w-regular expression over the finite alphabet A and Cq is an 
initial configuration, lab(E,co) is defined as the set of labels of infinite runs 
p starting at Co such that lab(p) belongs to the language defined by E. So 
lab(E, Co) C lab(co). 

We say that a counter system is flat if every node in the underlying graph 
belongs to at most one simple cycle (a cycle being simple if no edge is repeated 
twice in it) [7]. In a flat counter system, simple cycles can be organized as 
a DAG where two simple cycles are in the relation whenever there is path 
between a node of the first cycle and a node of the second cycle. We denote 
by CTS the class of flat counter systems. 

Below, we present the control graph of a flat counter system (guards and 
updates are omitted). 




A Kripke structure S is a tuple (Q, A, 1) where A C Q x Q and 1 is labelling. 
It can be viewed as a degenerate form of counter systems without counters 
(in the sequel, we take the freedom to see them as counter systems). All 
standard notions on counter systems naturally apply to Kripke structures 
too (configuration, run, flatness, etc.). In the sequel, we shall also investigate 
the complexity of mo del- checking problems on flat Kripke structures (such a 
class is denoted by K.J-'S). 
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2.2. Linear-Time Temporal Logic with Past and Arithmetical Constraints 

Model-checking problem for Past LTL over finite state systems is known 
to be PSPACE-complete |3oj|. In spite of this nice feature, a propositional vari- 
able p only represents an abstract property about the current configuration of 
the system. A more satisfactory solution is to include in the logical language 
the possibility to express directly constraints between variables of the pro- 
gram, and doing so refining the standard abstraction made with propositional 
variables. When the variables are typed, they may be interpreted in some 
specific domain like integers, strings and so on; reasoning in such theories 
can be performed thanks to satisfiability modulo theories proof techniques, 
see e.g., |16| in which SMT solvers are used for model-checking infinite-state 
systems. Hence, the basic idea behind the design of the logic PLTL[C] is to 
refine the language of atomic formulae and to allow comparisons of counter 
values. Similar motivations can be found in the introduction of concrete 
domains in descri pti on logics, that are logic-based formalisms for knowledge 
representation [l|,[25j. We define below a version of linear-time temporal logic 
LTL dedicated to counter systems in which the atomic formulae are linear 
constraints and the temporal operators are those of LTL. Note that capacity 
constraints from jlo| are arithmetical constraints different from those defined 
below. 

The formulae of the logic PLTL[C] are defined as follows: 
:;= p | g | -n0 | A | V | X0 | 0U0 | X -1 | 0S0 

where p G AT and g G G(C„) for some n. We may use the standard ab- 
breviations F, G, G _1 etc. For instance, the formula GF(xi + 2 > X2) states 
that infinitely often the value of counter 1 plus 2 is greater than the value of 
counter 2. The past-time operators S and X -1 do not add expressive power 
to the logic itself jl5|, but it is known that it helps a lot to express proper- 



ties succinctly, see e.g. |23l . |22| |. The temporal depth of 0, written td((f>), is 
defined as the maximal number of imbrications of temporal operators in 0. 
Restriction of PLTL[C] to atomic formulae from AT only is written PLTL[0], 
it corresponds to the standard version of LTL with past-time operators. Mod- 
els of PLTL[C] are essentially abstractions of runs from counter systems, i.e. 
w-sequences a : N — > 2 AT x N c . Given a model a and a position i G N, the 
satisfaction relation |= for PLTL[C] is defined as follows (Boolean clauses are 
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omitted): 



a,i \= p 


clef 

<^> 


P G 7Ti(ct(z)) 




v,i (= g 


clef 


Vj |= g where Vj(x^ 


) = 7r 2 (cr(i))(x i ) 


a, i \= X(f> 


clef 

<^> 


cr, i + 1 (= 




|= 0lU0 2 


clef 

<^> 


o'jj = 02 for some 
such that a, k (= 


i < J 

0! for all % < < j 


i |= X~V 


clef 

<^> 


z > and cr, z — 1 = 




|= 0lS02 


clef 


= 02 f° r some 
such that a, k \= 


0<j<i 

(f>i for all j < k < % 



Given a counter system (Q, C n , A, 1) and a run p := (q 0} v ) -A • • • P 

(?P) v p) '■') we consider the model a p : N — >• 2 AT x N c such that 

7r l( cr / o(*)) = an d 7i"2(o"p(0)( x i) = v «[i] f° r a ^ J e ari( i ^ G N. 

Note that 7T2(cT p (i))(x J ) is arbitrary for j (jL [l,n]. As expected, we extend 

the satisfaction relation to runs so that p, i \= (f> 4=> cr p ,i \= <f> whenever is 
built from counters in C n . 

The verification problem we are interested in is the model-checking prob- 
lem for PLTL[C] over counter systems, written MC(L,C), where L is a frag- 
ment of PLTL[C] and C is a class of counter systems. MC(L,C) is defined as 
follows: 

Input: A counter system S G C, a configuration cq and a formula </> G L; 
Output: Does there exist a run p starting from Co in S such that p, (= </>? 

If the answer is "yes", we will write S, Co \= It is known that for the full 
class of counter systems, the model-checking problem is undecidable; this is 
due to the fact that reachability of a control state is undecidable for counter 
systems manipulating at least two counters (27| . On the other hand, some 
restrictions can lead to decidability of this problem. This is the case for 
flat counter systems, for whom it is proved in [9] that the model-checking 
problem of some temporal logic more expressive than PLTL[C] is decidable. 
Unfortunately the decision procedure proposed in |9j involves an exponential 
reduction to the satisfiability problem for some formulae of the Presburger 
arithmetic and as a consequence has a high complexity. 
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Theorem 2.3. 0, \Mj MC(PLTL[C], CFS) can be solved in 4ExpTime. 
MC(PLTL[0], KJ-S) restricted to formulae with temporal operators U ; X is 
NP -complete. 

The main goal of this work is to show that we can have a much better upper 
bounded for MC(PLTL[C], CJ-S) and to give in fact the precise complexity 
of this problem and for related fragments. 



3. Stuttering Theorem for PLTL[0] 

Stuttering of finite words or single letters has been instrumental to show 
several results about the expressive power of PLTL[0] fragments, see e.g. [28, 



21] ; for instance, PLTL[0] restricted to the temporal operator U character- 



izes exactly the class of formulae defining classes of models invariant under 



stuttering. This is refined in [21] for PLTL[0] restricted to U and X, by tak- 
ing into account not only the U-depth but also the X-depth of formulae and 
by introducing a principle of stuttering that involves both letter stuttering 
and word stuttering. In this section, we establish another substantial gen- 
eralization that involves the full logic PLTL[0] (with its past-time temporal 
operators). Roughly speaking, we show that if <TiS M (X2,0 |= where o-\S M o~2 
is a PLTL[0] model (a u s being finite words), 4> G PLTL[0], td(<f>) < N and 
M > 2N + 1, then o"iS 2Ar+1 o"2, \= <fi (and other related properties). Hence, 
if there is a run 

(a) satisfying a path schema P (see Section H]) and, 

(b) verifying a PLTL[0] formula <fi, 

then there is a run satisfying (a), (b) and each loop is visited at most 2 x 
td(<p) + 5 times, leading to an NP upper bound (see Proposition 14. 4p . This 
extends a result without past-time operators [20]. Moreover, this turns out 
to be a key property (Theorem 13.11) to establish the NP upper bound even 
in the presence of counters (but additional work needs to be done). Note 
that Theorem 13. II below is interesting for its own sake, independently of our 
investigation on flat counter systems. 

Given M,M',N G N, we write M & N M' iff Min(M, N) = Min(M', N). 
Given w = W\U W2,w' = w±u u>2 G S w and i,i' G N, we define an equiv- 
alence relation (w,i) ~ N (w',i') (implicitly parameterized by w±, W2 and u) 
such that (it?, i) k- n (it/, i') means that the number of copies of u before po- 
sition i and the number of copies of u before position i' are related by ^ N 
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tl?l 



Wi 



□■ □ 



□I 



□I 




□I 



□I 



□I 



w 2 



w 2 



Figure 1: Two words w, w' with u = □■ and the relation 



and the same applies for the number of copies after the positions. Moreover, 
if % and i! occur in the part where u is repeated, then they correspond to 
identical positions in u. More formally, (w, i) ~ N («/, i') M m 2N M' and 
one of the following conditions holds true: 

1. i, i' < len^x) + iV • len(zi) and i = i'. 

2. i > len(wi) + (M — N) ■ \en(u) and i' > len(wi) + (M' - N) ■ len(u) and 
(i-i') = (M — M') ■ len(w). 

3. len(wi) + N ■ len(w) < z < len(wi) + (M - N) ■ len(w) and len(iwi) + iV • 
len(tt) < i' < len(ioi) + (M' — N) ■ len(u) and \i — i'\ — mod \en(u). 

Figure [1] presents two words w and to' over the alphabet £ = {□, ■} 
such that u> is of the form Wi(n\M) 7 W2 and w' is of the form Wi(OM) 8 W2- 
The relation ^ 3 is represented by edges between positions: each edge from 
positions z of w to positions %' of w' represents the fact that (w, i) ~ 3 (it/, i'). 



In order to prove our stuttering theorem for PLTL[0], we need to express 
some properties concerning the relation « whose proofs can be found in the 
subsequent subsections. Let w = WiU M w 2 , w' = W\U M w 2 G S w , i, i' G N and 
iV > 2 such that M, M' > 2N + 1 and (w, i) ^ N (w', i'). We can show the 
following properties: 

(Claim 1) (w,i) ~jv-i ( w> ^') an d = w'(i'). 
(Claim 2) z, z' > implies (w, i — 1) ~jv-i (w', z' — 1). 
(Claim 3) (to, i + 1) ra^.j («;',*' + 1) 

(Claim 4) For all j > z, there is f > i' such that (w,j) ~at_i ( w ',j') an d 
for all A;' G [z 7 , j' — 1], there is fc G [z',j — 1] such that (w, k) ~jv-i (w',k'). 

(Claim 5) For all j < z, there is f < i' such that (w,j) ~jv-i { w 'if) an d 
for all A;' G — 1, z'], there is A; G [j — 1, i] such that (io, fc) ~jv-i (^'j 
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We now state our stuttering theorem for PLTL[0] that is tailored for our 
future needs. 

Theorem 3.1 (Stuttering). Let a = a 1 s M a 2 ,a' = a 1 s M 'a 2 G (2 AT ) W and 
M'eN such that N > 2, M, M' > 2N + 1 and (a, i) ^ N (a', i') . Then, for 
every PLTL[0] formula <fi with td(<f)) < N, we have a, i |= <p iff o~' i |= <P- 

Proof (sketch) The proof is by structural induction on the formula but first 
we need to establish properties 

By way of example, let us present the induction step for subformulae of 
the form -i/^th/V We show that a, i \= ipiUip2 implies a',i' \= ^illi/V Suppose 
there is j > i such that a,j \= 1^2 and for every k G — 1], we have 
cr, k |= tpi. There is j' > i' satisfying (Claim 4). Since td(ipi), td(if)2) < N—l, 
by (IH), we have a',j' \= ip2- Moreover, for every k! G — 1], there is 
k G — 1] such that (w, k) ~ JV _ 1 (w', k') and by (IH), we have a', k' \= if)i 
for every k! G [i',j' — 1]. Hence, a',i' \= ifiiU^- D 

An alternative proof consists in using Ehrenfeucht-Frai'sse games [12]. 
This will not provide necessarily a shorter proof and it requires to use prop- 



erties from the games in 12]. The forthcoming proofs for claims are self- 
contained. 

3.1. A Zone Classification for Proving (Claim 1) - (Claim 5) 

For the proofs of (Claim 1) - (Claim 5), the positions of each word w of 
the form w = w x u M W2 G S w {w\ G E*, u G £+ and w 2 G S w ) with M > 2N 
are partitionned into five zones (A, B, C, D and E). We also assume that 
N > 2. Indeed, given that (w,i) ~ N (w',i'), we shall proceed by a case 
analysis on the positions i and i' depending on which zones i and i' belong 
to. The definition of zones is illustrated on Figure [2] and here is the formal 
characterization: 

• Zone A corresponds to the set of positions i G N such that < i < 
len(wi) + (N - 1) • len(w). 

• Zone B corresponds to the set of positions i G N such that len(u)i) + 
(N - 1) ■ len(u) < i < len(u>i) + N ■ len(w). 

• Zone C corresponds to the set of positions i G N such that len(wi) + 
N ■ len(w) < i < \en(wi) + (M - N) ■ len(w). 

• Zone D corresponds to the set of positions i G N such that len(wi) + 
(M — N) ■ len(w) < i < len(u)i) + (M - (JV - 1)) ■ len(w). 
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A B C D E 




Figure 2: The five zones for wi(DB) 8 w 2 with N = 3 and u = □■ 

• Zone E corresponds to the set of positions % G N such that len(wi) + 
(M - (N - 1)) • len(u) < i. 

Note that the definition of zones depends on the value A" (taken from 
~ N ) and also on u, W\ and w 2 - In the sequel, we may index the zones by 
A^ (providing e.g., An, Bjy etc.) when it is useful to make explicit from 
which relation m N the definition of zones is made. Moreover, we may use a 
prime (providing for instance, A^y, B^ etc.) to refer to zones for w'. So, the 
relation & N can be redefined as follows when M, M' > 2N: (w, i) ~ N («/, i') 
U (M ^ 2N M' and) one of the conditions holds true: 

1. i — i! and either {% G A N and i' G A'^) or (« G Bj/ and i! G B^). 

2. (i - i') — (M — M')len(w) and either (ieD N and i' G D^) or (i G E N 
and i' eE' N ). 

3. % G Cat, i' G C'^v and |i — i'\ — mod len(-u). 

3.2. Proof of (Claim 1) 

Before the proof, let us recall what is (Claim 1). Let w = WiU M w 2 ,w' = 
w 1 u M 'w 2 G S w , i, i! G N and JV > 2 such that M, M' > 2A + 1 and (to, i) ^ N 
(w',i'). 

(Claim 1) (w,i) ~ N -i (w',i'); w{i) = w'(i'). 

Proof Let us first prove that (w,i) ~ N -i (w',i'). Without any loss of 
generality, we can assume that M > M' . Since N > N — 1, it is obvious that 
M « 2(JV -i) M'. 

• If i < len(toi) + (A — 1) • len(w) [i is Zone A^], then i = i'. Hence 
either (i G Ajv-i, i' G A' Ar _ 1 and i = i') or (i G Bjv-i, i' G ~Q'n-i and 
% = i'). Hence, (w,i) ~ N -i ( w 'ii')- 

• If i > len(ioi) + (M — (N — 1)) • len(-u) [i is in zone E^v] then % = 
%' + {M- M') ■ len(u) and i' > len(tui) + (M' — (A — 1)) • len(w) [i' is in 
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zone E^y]. So, either (i is in zone E7V-1 and %' is in zone E' A ,_ 1 ) or (z is 
in zone D^-i and i' is in zone D' N _ 1 ). Since % — i! + (M — M') • len(u), 
we conclude that (w,i) (w',i'). 

• If len(iui) + (7V— l)-len(w) < i < len(wi) + A^-len(it) [z is in Zone B^] 
then % = %' . Hence, i G Cn-i, i' G C' N _ 1 and \i — i'\ — mod len(-u). 
Hence, (u>,z) ~jv-i (w',i'). 

• If len(wi) + A" • len(-u) < z < len(wi) + (M — N) • len(-u) [z in Zone 
Cat], then len(iui) + N ■ len(u) < z' < len(u>i) + (Af' - N) ■ len(u) [z' is 
in Zone C^y] and \i — i'\ — mod len(-u). Consequently, z is in Zone 
Cjv-i, «' is in Zone C^ v _ 1 and |z — z'| = mod len(-u). This entails that 
(w,i) w^.j 

• If len(wi) + (M - AT) • len(w) < z < len(iui) + (M — (N — 1)) • len(u) 
[z in Zone Dat], then i! is in Zone and i — i' + (M — M') ■ len(zz). 
Consequently, z is in Zone Cjv-i, i' is in Zone C^^ and \i — i'\ = 
mod len(-u). This also entails that (w,i) ~ iV _ 1 {w',i'). 

As far as the second property is concerned, it is also clear that w(i) = 
w'(i'), because either z and %' are at the same position in the word W\ or w 2 
either they are pointing some positions in the portions of the word which be- 
long to u + and since their difference will be such that — = mod len(-u), 
it is easy to see that i and i' will point at the same position in u. □ 

3.3. Proof of (Claim 2) 

Before the proof, let us recall what is (Claim 2). Let w = W\U M W2, w' = 
WiU M 'w 2 G z, z' G N and N > 2 such that M, M' > 2N+1 and (w, i) ^ N 
(w',i'). 

(Claim 2) z, i' > implies (w, i — 1) ~ A r_ 1 (w', i' — 1). 

Proof Without any loss of generality, we can assume that M > M' . Since 
N > N - 1, it is obvious that M ~ 2(Ar _ 1) M'. 

• If i < len(wi) + (N — 1) • len(w) [i is Zone A^], then i = i'. Hence, 
i — 1 G Ajv-i, i' — 1 G A' A r_ 1 and z — 1 = z' — 1. So, [w, i — 1) ~jv-i 
(w/,z'-l). 

• If z > len(^i) + (M — (N — 1)) • len(zz) [z is in zone Eat] then z = 
z' + (M - M') • len(it) and z 7 > len(t«i) + (M' - (N - 1)) • len(it) [i' is 
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in zone E^]. So, either (i — 1 is in zone Ejv_i, i' — 1 is in zone E^ v _ 1 
and i — 1 = i' — 1 + (M — M') ■ len(-u)) or (z — 1 is in zone Djv-i and 
i' — 1 is in zone D^ v _ 1 and i — 1 — i' — 1 + (M — M') ■ len(w)) or (i — 1 
is in zone C.w-i and i' — 1 is in zone C' N _ 1 and \(i — 1) — (i' — 1)| = 
mod len(w)). We conclude that (w, i — 1) ~jv_i (w', z' — 1). 

• If len(ioi) + (TV — 1) • len(w) < % < len(u>i) + N ■ len(w) [z is in Zone 
Bjv] then % = %' . Hence, either (z — 1 G Cjv-i, i' — 1 G C^ v _ 1 and 
|(z - 1) - (i' - 1)| = mod len(w)) or (i - 1 G Bjv-i, i'-l6 B' 7V _ 1 
and i — 1 = %' — 1). Hence, (w, i — 1} ~jv_! (w', £' — 1). 

• If len(wi) + A^-len(u) < z < len(u; 1 ) + (M- iV) -len(w) [i in Zone Ctv], 
then len(wi) + N ■ len(-u) < i' < len(wx) + (M' - AT) ■ len(it) [i' is in 
Zone C'^y] and \i — i'\ — mod len(u). Consequently, i — 1 is in Zone 
Cjv-i, — 1 is in Zone C' Ar _ 1 and \(i — 1) — (i' — 1)| =0 mod len(it). 
This entails that — 1) ~tv_! (w', «' — 1). 

• If len(wi) + (M — N) ■ len(u) < z < lea(tui) + (M — (iV — 1)) • len(u) 
[z in Zone T>n], then z' is in Zone and i = i' + (M — M') ■ len(u). 
Consequently, z — 1 is in Zone Cj\r-i, z v — 1 is in Zone C' iV _ 1 and |(z — 1) — 
{%' — 1)| =0 mod len(tt). This entails that (w,i— 1) ~tv-i ( w '^' ~ !)• 

□ 

34. Proof of (Claim 3) 

The proof proceeds in a similar way as the proof of Claim 2. For com- 
pleteness shake the proof is provided in the Appendix. 

3. 5. Proof of ( Claim 4 ) 

Before providing the detailed proof, we give a concrete example on Fig- 
ure [3j On this example, we assume that the top word w and the bottom 
word w' and their respective positions i and i' are such that (w, i) ~ 3 (w 1 , i'). 
We want to illustrate (Claim 4) and for this matter, we choose a position j 
in w. Now observe that according to the zone classification, j is in the Zone 
C of the word w and furthermore it is not possible to find a j' > i' in the 
Zone C of the word w' such that j and j' points on the same position of the 
word u. That is why we need to consider at this stage not the relation ^ 3 
but instead « 2 . In fact, as shown on the bottom of Figure [31 we can find for 
j, a position f in w' such that (w,j) ~ 2 (w',f) (take j = j') and this figure 
also shows that for all i' < k < j', (w, k) p» 2 («/, k). 
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Figure 3: Relation between iv N and ~ N _ 1 



Before the proof, let us recall what is (Claim 4). Let w = WiU M w 2 ,w' = 
w 1 u M 'w 2 E i, i! e N and iV > 2 such that M,M' >2N+1 and (w, i) ^ N 
(w',i'). We can show the following properties: 

(Claim 4) For all j > i, there is j' > i' such that (w,j) ~jv-i ( w 'ij') an d 
for all k' e — there is k e — 1] such that (to, fc) ~ Ar _ 1 (w',k'}. 

Proof We proceed by a case analysis on the positions i and j. Without any 
loss of generality, we can assume that M > M' . 

• If i > len(wi) + (M — N) ■ len(n) [i is in Zone D or E] then j > 
len(wi) + (M - N) ■ len(-u) [j is in Zone D or E] and %' > len(iwi) + 
(M' - N) ■ len(w) [V is Zone D or E] and i = i' + (M - M') ■ len(u). 
We define / = j - (M - M') ■ len(u). Then it is clear that / > i' 
and (w,j) («;',/). By (Claim 1), we get (w,j) (w',f). 
Let k' G [i',/ - 1] and let k = k' + (M - M') ■ len(u), then we have 
that k G — 1] and also (w,k) ~ N (w',k'), hence by (Claim 1), 
(w,k) (w',k'). 

• If % < len(tt;i) + • len(tt) [i is in Zone A or B] then i' < \en(wi) + 
N ■ len(it) [i' is in Zone A or B] and i — %' and we have the following 
possibilities for the position j > i: 
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- If j < len(u'i) + A" • len(-u) [j is in Zone A or B], then let f = j. 
Consequently we have (w,j) ~ N (w',j') and by (Claim 1) we get 
(w,j) ~jv_! (w',f). Let k' G [i r ,f — 1] and k = k' . Then we have 
that k G — 1] and also (w,k) ^ N (w',k') and by (Claim 1), 
(w,k) ^ N _ x (w',k'). 

- If len(wi)+iV-len(w) < j < len(iui)+(M-7V)-len(u) [j is in Zone 
C], then let £ = ( j - (len(iui) + N ■ len(u))) mod len(u) (£ the 
relative position of j in the word u it belongs to). Consequently 
< £ < len(-u). Let j' = len(wi) + A" • len(it) + I (we choose j' at 
the same relative position of j in the first word u of the Zone C). 
Then len(iwi)+JV-len(u) < j' < \en(w 1 ) + (M' -N) -\en(u) [f is in 
Zone C] (because (M' — N) > 0) and = mod len(tt). We 
deduce that (w,j) ~ N (w',j') and by (Claim 1) we get (w,j) ~jv-i 
(w',f). Then let k! G [i r ,f — 1] and let k = k! . Then we have 
that k G — 1]. Furthermore, if k! < \en(wi) + N ■ len(w) \k' 
is in Zone A or B] we obtain (w, k) ^ N (w', k') and by (Claim 
1), (w, k) ~ Af _ 1 (w 1 , k'). Moreover, if len(wi) + • len(w) < k! \k' 
is in Zone C] then k is in Zone C and \k — k'\ — mod len(w) 
since k = k'. So, (w, k) ^ N (w', k') and by (Claim 1), (w, k) ~ N _i 
(w',k>). 

- If len(wi) + (M — N) ■ len(u) < j [j is in Zone E or D], let f = 
j-(M-M')-\en(u). Then, we have len(«;i) + (M / -A^)den(M) < f 
[f is in Zone D or E] and we deduce that (w,j) ~ N (w',f) and 
by (Claim 1) we get (w,j) ~ Ar _ 1 (w',j f ). Then let k! G [i',f — 1]. 
If k! < len(toi) + N -len(u) \k' is in Zone A or B], for k = k', we 
obtain (w,k) ~ N (w',k') and by (Claim 1), (w,k) ~jv_! (w',k f ). 
If k! > len(wi) + (M' - N) ■ len(u) \k' is in Zone D or E], 
we choose k = k! + (M — M') ■ len(tt) and here also we deduce 
(w,k) ^ N (w',k') and by (Claim 1), (w,k) ~jv_i (w',k'). If 
wi + N ■ len(u) < k' < len(toi) + (M' - N) ■ len(u) \k' is in 
Zone C], let £ = (k' - (len(wi) + N ■ len(w))) mod len(u) (£ is 
the relative position of k! in the word u it belongs to) and let 
k = \en(wi) + • len(-u) + £ {k is placed at the same relative 
position of k! in the first word u of the Zone C). Then we have 
w 1 + N ■ len(w) < k < len(wi) + (M - N) ■ len(u) and \k-k'\ = 
mod len(ii) which allows to deduce that {w, k) ~ N {w', k') and by 
(Claim 1), (w,k) ~ Af _ 1 (w',k'). 
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• If len(wi) + N ■ len(u) < i < len(iwi) + (M - AT) • len(w) [z is Zone C] 
then len(iui)+jV-len(ti) < i' < \en(w 1 ) + (M' — N)-len(u) [i' is in Zone 
C] and \i — i'\ — mod len(w). Let £ — (i — (len(wi) + iV • len(w))) 
mod len(it) (the relative position of i in the word u). We have the 
following possibilities for the position j > i: 

— If j — i < len(it) — £ + len(-u) (j is either in the same word u as i or 
in the next word u), then j < len(wi) + (M — (N — 1)) • len(-u) [j 
is in Zone C or D] . We define j' — i' + (j — i) and we have that 
len(wi) + N ■ len(«) < f < len(«;i) + (M' — (N — 1)) • len(«) [j ; is 
in Zone C or D] and since \i — i'\ — mod len(-u), we deduce 
Ij— j'\ = mod len(u). From this we obtain (w,j) (w r ,f). 
Let fc' e [«', j' — 1] and k = i+k'— i! . We have then that k e — 1] 
and len(«;i) + AMen(w) < k' < len(«;i) + (M / -(iV-l))den(M) and 
len(«;i) + N ■ len(w) < k < \en(wi) + (M-(N- 1)) • len(u). Since 
\i — i'\ — mod len(tt), we also have |fc — k'\ — mod len(u). 
Consequently (w,k) ~ N _i (w',k'). 

— If j — i > len(-u) — £ + len(w) (j is neither in the same word u as 
i nor in the next word u) and j > len(wi) + (M — N) ■ len(-u) [j 
is in Zone E or D]. Let f = j — (M — M') ■ len(u) then f > 
len(ty 1 ) + (M / — iV)den(-u) [j' is in Zone E or D] and consequently 

-at ( w ',f) and b y (Claim 1) we get (w,j) (w',f). 
Then let k! € [i',/ - 1]. If A;' > len(mi) + (M' - iV) • len(u) 
[fc' is in Zone D or E], then let k = k' + (M - M') ■ len(u); 
we have in this case that k > len(wi) + (M — N) ■ len(w) and 
this allows us to deduce that (w,k) ~jv_! (w',k'}. Now assume 
k' < len(wi) + (M' - N) ■ len(w) [k' is in Zone C] and k' - 
i! < len(-u) — £ {k' and i' are in the same word u), then let k = 
i + k' — i! . In this case we have k < len(wi) + (M — N) ■ len(w) 
[A; is in Zone C] and since \i — i'\ = mod len(-u), we also 
have \k — k'\ — mod len(u), whence {w,k} ^ N _x (w',k'}. Now 
assume k' < len(ty 1 ) + (M' — N) ■ len(-u) [A;' is in Zone C] and 
k' — i' > len(w) — £ (k' and i! are not in the same word u). We 
denote by £' = (k' — (len(wi) + N - len(u))) mod len(-u) the relative 
position of k! in u and let k — i + (len(w) —£)+£' (k and k! occur 
in the same position in u but k occurs in the word u just after 
the word u in which i belongs to) Then k G — 1] (because 
£' < len(-u) and j — i > len(u) — £+\en(u)) and A; < len(to 1 ) + (M — 
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(JV-l))-len(u) (because i+(len(u)-£) < len(w 1 )+(M-Ar)-len(u) 
and £' < len(w)) and \k — k'\ — mod len(tt) (A; and fc' are both 
pointing on the £'-th position in word u). This allows us to deduce 
that (w,k) (w',k'). 

— If j — % > len(u) — £ + len(-u) (j is neither in the same word u as i 
nor in the next word u) and j < len(toi) + (M — N) -len(u) [j is in 
Zone C]. Then let £' = (j - (len (w{) + N den (u))) mod len(u) the 
relative position of j in w. We choose j' — i' + (len(u) (j 
and j' occur in the same position in u but j' occurs in the word u 
just after the word u in which i' belongs to) We have then that j' < 
len(toi) + (M' — (TV — 1)) • len(u) [j' is in Zone C or D] (because 
i' + (len(u) - < len(wi) + (M — N) ■ len(u) and f < len(u)) and 
|j — j'| =0 mod len(-u) {j and j' are both pointing on the £'-ih 
position in word u), hence (w,j) ~jv-i ( w ',j')- Let A;' G [i', j' — 1]. 
If k'—i' < len(u)—£ (k' and i' are in the same word u), then let = 
i+k'—i'. In this case we have k < len(u>i) + (M— N)-\en(u) [k is in 
Zone C] and since = mod len(w), we also have \k— k'\ = 
mod len(-u), hence (w, k) ^ N _ 1 (w 1 , k'). If k' — i' > len(u) — £ {k' 
and i' are not in the same word u), then j' — k' < £' and let 
k = ]—]' — k' . In this case we have k < len(toi) + (M — N) ■ len(u) 
[k is in Zone C] and since \j —j'\ — mod len(w), we also have 
\k — k'\ — mod len(«), hence (w, k) ~ Af _ 1 (w', k'}. 

□ 

3.6. Proof of (Claim 5) 

The proof proceeds in a similar way as the proof of Claim 4. For com- 
pleteness shake the proof is provided in the Appendix. 

4. Fundamental Structures: Minimal Path Schemas 

In this section, we introduce the notion of a fundamental structure for 
flat counter systems, namely path schemas. Indeed, every flat counter system 
can be decomposed into a finite set of minimal path schemas and there are 
only an exponential number of them. So, all our nondeterministic algorithms 
to solve model-checking problems on flat counter systems have a preliminary 
step that first guesses a minimal path schema. 
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4-1. Minimal Path Schemas 

Let S = (Q, C n , A, 1) be a flat counter system. A path segment p of S is a 
finite sequence of transitions from A such that target(p(i)) = source(p(i + l)) 
for all < i < len(p) — 1. We write first (p) [resp. Zasi(p)] to denote the 
first [resp. last] control state of a path segment, in other words first (p) = 
source(p(0)) and last{p) = target(p(\en(p) — 1)). We also write effect(p) to 
denote the sum vector J2o<i<icn( P ) update(p(i)) representing the total effect 
of the updates along the path segment. A path segment p is said to be sim- 
ple if len(p) > and for all < i,j < len(p), p(i) = p(j) implies i = j 
(no repetition of transitions). A loop is a simple path segment p such that 
first (p) = last{p). If a path segment is not a loop it is called a non-loop 
segment. A path schema P is an a;- regular expression built over the alpha- 
bet of transitions such that its language represents an overapproximation of 
the set of labels obtained from infinite runs following the transitions of P. 
More precisely, a path schema P is of the form P\lfp2lt ■ ■ -Pk^t verifying the 
following conditions: 

1. h, . . . , Ik are loops, 

2. P1I1P2I2 ■ ■ -Pkh is a path segment. 

We write len(P) to denote len(piZip 2 ^2 • • • Pkh) an d nbloops(P) as its num- 
ber k of loops. Let C(P) denote the set of infinite words in A w which belong to 
the language defined by P. Note that some elements of C(P) may not corre- 
spond to any run because of constraints on counter values. Given w G C(P), 
we write iterp(w) to denote the unique tuple in (N \ {O})^ 1 such that 
w = p 1 lf erp ( w ^ p 2 t 2 terp ^ ul ^ . . - Pklk- So, for every i G [1, k — 1], iter P (w)[i] is 
the number of times the loop l; L is taken. Then, for a configuration c , the 
set iter P (c ) is the set of vectors {iter P (w) G (N \ {0}) fc_1 | w G lab(P, c )}. 
Finally, we say that a run p starting in a configuration cq respects a path 
schema P if lab(p) G lab(P, Cq) and for such a run, we write iterp(p) to de- 
note iterp(lab(p)). Note that by definition, if p respects P, then each loop U 
is visited at least once, and the last one infinitely. 

So far, a flat counter system may have an infinite set of path schemas. 
To see this, it is sufficient to unroll loops in path segments. However, we can 
impose minimality conditions on path schemas without sacrificing complete- 
ness. A path schema p\lfp2l£ ■ ■ - Pu^t * s minimal whenever 

1- Pi' ' 'Pk is either the empty word or a simple non-loop segment, 
2. h, . . . , Ik are loops with disjoint sets of transitions. 
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Figure 4: A flat counter system and one of its minimal path schemas 



Lemma 4.1. Given a flat counter system S = (Q, C„, A, 1) ; the total number 
of minimal path schemas of S is finite and is smaller than card(A)( 2xcard ^ A ^ . 

This is a simple consequence of the fact that in a minimal path schema, each 
transition occurs at most twice. In Figure HI we present a flat counter system 
S with a unique counter and one of its minimal path schemas. Each transition 
d~i labelled by +i corresponds to a transition with the guard T and the update 
value +i. The minimal path schema shown in Figure H] corresponds to the ir- 
regular expression (^(f^^)" 1 " '8485(8^85)" . In order to avoid confusions between 
path schemas and flat counter systems that look like path schemas, simple 
loops in the representation are labelled by [uTJ or > 1 depending whether 
the simple loop is the last one or not. Note that in the representation of path 
schemas, a state may occur several times, as it is the case for ^3 (this cannot 
occur in the representation of counter systems). Minimal path schemas play 
a crucial role in the sequel, mainly because of the properties stated below. 

Lemma 4.2. Let P be a path schema. There is a minimal path schema P' 
such that every run respecting P respects P' too. 

The proof of the above lemma is by an easy verification. Indeed, whenever 
a maximal number of copies of a simple loop is identified as a factor of 
Pih'~'Pkh, this factor is replaced by the simple loop unless it is already 
present in the path schema. 

Finally, the conditions imposed on the structure of path schemas implies 
the following corollary which states that the number of minimal path schemas 
for a given flat counter system is at most exponential in the size of the system 
(see similar statements in 24J) . 



Corollary 4.3. Given a flat counter system S and a configuration Cq, there 
is a finite set of minimal path schemas X of cardinality at most card(A)^ 2xcard ^ A ^ 
such that lab(co) = lab({J PeX P,cq). 
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4-2. Complexity Results 

We write CVS [resp. JCVS] to denote the class of path schemas from 
counter systems [resp. the class of path schemas from Kripke structures]. As 
a first step towards our main result, we consider the model-checking prob- 
lem for PLTL[0] over a path schema for a flat Kripke structure. We write 
MC(PLTL[0], /CPS) to denote the problem defined below: 

Input: A flat Kripke structure S, a path schema P of S, a configuration cq 
and a formula (j) of PLTL[0]; 

Output: Does there exist a run p starting from Cq which respects P and 
such that p, |= (jp. 

If the answer is "yes", we will write P, Cq \= <fi. Let p and p' be runs respecting 
P. For a > 0, we write p = a p' 4=> for every % G [1, nbloops(P) — 1], 
we have Kin(iterp(p)[i], a) = Min(iierp(p')[z], a). We state below a result 
concerning the runs of flat counter systems (including flat Kripke structures) 
when respecting the same path schema. 

Proposition 4.4. Let S be a flat counter system, P be a path schema, and 
(ft G PLTL[0]. For all runs p and p' respecting P such that p =2td(</>)+5 p' , we 
have p, |= iff p', |= 0. 

This property can be proved by applying Theorem 13.11 repeatedly in or- 
der to get rid of the unwanted iterations of the loo ps. Our algorithm for 
MC(PLTL[0], JCVS) takes advantage of a result from [22] for mo del- checking 
ultimately periodic models with formulae from Past LTL. An ultimately pe- 
riodic path is an infinite word in A w of the form uv u were uv is a path 
segment and consequently first (v) = last(v). More generally, an ultimately 
periodic word over the alphabet E is an oj-word in that can be written 
as w ■ where w is the prefix and u is the loop. According to |22| . given 
an ultimately periodic path w, and a formula <f> G PLTL[0], the problem of 
checking whether there exists a run p such that lab(p) = w and p,0 \= (j) 
is in PTlME (a tighter bound of NC can be obtained by combining results 
from [19] and Theorem 13. ip . Observe that p is unique if such a run exists. 

Lemma 4.5. MC(PLTL[0] , KVS) is in NP. 
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Figure 5: A simple path schema P 



The proof is a consequence of Proposition 14.41 and [22j. Indeed, given <p G 
PLTL[0] and P = pxltfrlf ■ ■ -Pkl£, first guess m G [l,2td((j)) + and 
check whether p, |= <fi where p is the obvious ultimately periodic word 

such that lab(p) = pi/™' 1 '^™^' • • -Pkl%- Since m is of polynomial size and 
p, |= 4> can be checked in polynomial time by [22] , we get the NP upper 
bound. 



From (20|, we have the lower bound for MC(PLTL[0] , KVS) . 



Lemma 4.6. \MJ MC(PLTL[0] , KVS) is NP-hard even if restricted to X 
and F. 



For the sake of completeness, we provide the proof presented in [20] adapted 
to our context. 

Proof The proof is by reduction from the SAT problem and it is included 
for the sake of being self-contained. Let $ be a Boolean formula built over 
the propositional variables AP = {pi, ■ ■ ■ ,p n }. We build a path schema P 
and a formula if} such that $ is satisfiable iff there is a run respecting P and 
satisfying ip. The path schema P is the one described in Figure [5] so that 
the truth of the propositional variable Pi is encoded by the fact that the loop 
containing q t is visited twice, otherwise it is visited once. The formula if) is 
defined as a conjunction -0 1V 2 A iptruth where ^ lv2 states that each loop is 
visited at most twice and iptruth establishes the correspondence between the 
truth of pi and the number of times the loop containing qi is visited. Formula 
is equal to [Ai(G(% A XXgj =^ XXXG->gi))] whereas iptruth is defined from 
$ by replacing each occurrence of Pi by F(qi A XXf^). 

Let us check the correctness of the reduction. Let v : AP — > {T, _L} be 
a valuation satisfying $. Let us consider the run p respecting P such that 
iterp(p)[i] = 2 if v(pi) = T, otherwise iterp(p)[i] = 1 for all i G [l,n]. It 
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is easy to check that p, \= ip. Conversely, if there is a run p respecting P 
such that p,0 \= (ft, the valuation v satisfies $ where for all « 6 [1, n], we have 
v (Pi) = T 41 zterp(p)[z] =2. □ 

The NP-completeness of MC(PLTL[0], K.VS) can then be deduced from 
the two previous lemmas. We also consider the case where we restrict the 
class of path schemas by bounding the number of allowed loops. Hence, for 
a fixed k E N, we write MC (PLTL [0] , KVS{k) ) to denote the restriction of 
MC(PLTL[0], K,VS) to path schemas with at most k loops. Note that when 
k is fixed, the number of ultimately periodic paths w in C(P) such that each 
loop (except the last one) is visited is at most 2td((p) + 5 times is bounded 
by (2td(<p) + 5) fc , which is polynomial in the size of the input (because k is 
fixed). From these considerations, we deduce the following result. 

Theorem 4.7. MC(PLTL[0], JCVS) is NP-complete. 
Given a fixed keN, MC(PLTL[0], KVS{k)) is in PTime. 

Note that it can be proved that MC(PLTL[0], fCVS(n)) is in NC, hence giving 
a tighter upper bound for the problem. This can be obtained by observing 
that we can run the NC algorithm from fl9| for model checking PLTL[0] over 
ultimately periodic paths parallelly on (2td(<f)) + 5) fc (polynomially many) 
different paths. 

Now, we present how to solve MC(PLTL[0], KLFS) using Lemma 14.51 
From Lemma I4.1[ we know that the number of minimal path schemas in 
a flat Kripke structure S = (Q, A, 1) is finite and the length of a minimal 
path schema is at most 2 x card(A). Hence, for solving the model-checking 
problem for a state q and a PLTL[0] formula 0, a possible algorithm consists 
in choosing non-deterministically a minimal path schema P starting at qo 
of the given initial configuration cq and then apply the algorithm used to 
establish Lemma 14.51 This new algorithm would be in NP. Furthermore, 
thanks to Corollary 14. 3[ we know that if there exists a run p of S such that 
p, |= 4> then there exists a minimal path schema P such that p respects P. 
Consequently there is an algorithm in NP to solve MC(PLTL[0], KLFS) and 
NP-hardness can be established as a variant of the proof of Lemma [4.61 

Theorem 4.8. MC(PLTL[0],/u7 r 5) is NP-complete. 

4-3. Some lower bounds in the presence of counters 

We will now provide some complexity lower bounds when considering path 
schemas over counter systems. As for path schemas from Kripke structures, 
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Figure 6: Path schema P 



we use CVS(k) to denote the class of path schemas obtained from flat counter 
systems with number of loops bounded by k. Surprisingly, in the presence of 
counters, bounding the number of loops entails NP-hardness. 



Lemma 4.9. For k>2, MC(PLTL[C],CPS(fc)) ™ NP-hard. 
The proof is by reduction from SAT and it is less straightforward than the 



proof for Lemma 14.61 or the reduction presented in [20| when path schemas 
are involved. Indeed, we cannot encode the nondeterminism in the structure 
itself and the structure has only a constant number of loops. Actually, we 
cannot use a separate loop for each counter; the reduction is done by encoding 
the nondeterminism in the (possibly exponential) number of times a single 
loop is taken, and then using its binary encoding as an assignment for the 
propositional variables. 

Proof The proof is by reduction from the problem SAT. Let $ be a Boolean 
formula built over the propositional variables in {pi,-- - ,p n }- We build a 
path schema P G CVS (2), an initial configuration (all counters will be equal 
to zero) and a formula ip such that $ is satisfiable iff there is a run respecting 
P and starting at the initial configuration such that it satisfies The path 
schema P is the one described in Figure Et it has one internal loop and a 
second loop that is visited infinitely. The guard Xi < 2 n enforces that the 
first loop is visited a times with a G [1,2"], which corresponds to guess a 
propositional valuation such that the truth value of the propositional variable 
Pi is T whenever the ith bit of a — 1 is equal to 1. When a — 1 is encoded in 
binary with n bits, we assume the first bit is the most significant bit. Note 
that the internal loop has to be visited at least once since P is a path schema. 
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Since the logical language does not allow to access to the ith bit of a 
counter value, we simulate the test by arithmetical constraints in the formula 
when the second loop of the path schema is visited. For every a G [1, 2 n ] and 
every i G [l,n], we write a\ to denote the value in [0,2* — 1] corresponding 
to the i — 1 first bits of a — 1. Similarly, we write a l d to denote the value in 
[0,2 n+1_l — 1] corresponding to the (n + 1 — i) last bits of a — 1. Observe 
that a — 1 = a l u x 2 n ~ l+l + a d . One can show that the propositions below 
are equivalent: 

1. ith bit of a — 1 is 1, 

2. there is some k > such that k x 2 n+1 ~ i + (a - 1) G [2 n + 2 n "*, 2 n + 

2 n+l-i _ ]_]_ 

Actually, we shall show that A; is unique and the only possible value is 2 l ~ 1 — 
a l u . Before showing the equivalence between (1.) and (2.), we can observe 
that condition (2.) can be expressed by the formula F(gi A ((xj — 1) > 

First, note that [2 n + 2 n "*, 2 n + 2 n+1 ~ i -l] contains 2 n ~* distinct values and 
therefore satisfaction of (2.) implies unicity of k since 2 n+1 ~ l > 2 n ~ l . Second, 
ith. bit of a — 1 is equal to 1 iff a l d E [2 n ~ l , 2 n+1_i — 1]. Now, observe that 
(2*- 1 - ai a )2 n+1 -' 1 + (a - 1) = 2 n + a* . So, if (1.), then a d G [2 n "\ 2 n+1 -* - 1] 
and consequently 2 n + a\ G [2 n + 2""^, 2 n + 2 n+1 " i - 1]. So, there is some 
k > such that Jfe x 2 n+1 ~ i + (a - 1) G [2 n + 2 n " i ,2 n + 2"+^ - 1] (take 
k = 2 i ~ 1 — Q!^). Now, suppose that (2.) holds true. There is k > such that 
A;x2 n+1 " i + (a-l) G [2 n + 2 n " i , 2 n + 2 n+1 - i -l]. So, k x 2 n+l ~' i + (a - 1) - 2 n G 
[ 2 n-i )2 n+i-i _ X ] and therefore fc x 2 n+1 -* + - (2^ x - <) x 2 n+1 -' G 
[2 n_l , 2 n+1 ~* — 1]. Since the expression denotes a non-negative value, we have 
k > (2 l_1 — a l u ) (indeed a d < 2 n+1 ~ l ) and since it denotes a value less or 
equal to 2 n+1 ~* — 1, we have k < (2 t ~ 1 — a l u ). Consequently, k = T~ l — a l u 
and therefore a d G [2 n ~ l , 2 n+1 ~ l — 1], which is precisely equivalent to the fact 
that the zth bit of a — 1 is equal to 1. 

The formula ip is defined from $ by replacing each occurrence of pi by 
F(gi A ((^ - 1) > 2 n + 2 n ~ i ) A ((^ - 1) < 2 n + 2 n ~ i+1 - 1)). Intuitively, P 
contains one counter by propositional variable and all the counters hold the 
same value after the first loop. Next, in the second loop, we check that the ith 
bit of a — 1 is one by incrementing Xj by 2 n+1 ~\ We had to consider n counters 
since the increments differ. In order to check whether the ith bit of counter 
Xj is one, we add repeatedly 2 n+1 ~ l to the counter. Note that this ensures 
that the bits at positions i to n remains the same for the counter whereas the 
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Table 1: Table showing the effect of last loop for 4 variables 



counter is incremented till its value is greater or equal to 2 n . Eventually, we 
may deduce that the counter value will belong to [2 n + 2 n ~\ 2 n + 2 n ~ t+1 — 1]. 
This is explained Table [1] with n — 4. 



Let us check the correctness of the reduction. Let v : {pi, . . . ,p n } — > {T, _!_}. 
be a valuation satisfying $. Let us consider the run p respecting P such 
that the first loop is taken a = (v(pi)v(p2) ■ ■ -v(p n ))2 + 1 times and the 
initial counter values are all equal to zero. T is read as 1, 1 as and 
(v(pi)v (P2) ■ ■ ■ v(p n ))2 denotes the value of the natural number made of n 
bits in binary encoding. Hence, for every i G [l,n], the counter Xj contains 
the value a after the first loop. As noted earlier, v(pi) = 1 implies that adding 
2 n-i+i repeatedly to x* in the last loop, we will hit [2 n + 2 n ~\ T + 2 n ~ l+1 - 1]. 
Hence, the formula F(q 1 A ((x, - 1) > 2 n + 2 n ' 1 ) A ((x, - 1) < 2 n + 2 n -' l+1 - 1)) 
will be satisfied by p iff v(pi) = 1. It is easy to check thus, that p, |= if). 
Conversely, if there is a run p respecting P such that p, |= </> and the initial 
counter values are all equal to zero, the valuation v satisfies <fi where for all 
i G [1, n], we have v(pi) iff the i th bit in the binary encoding of a — 1 is 1, 
where a is the number of times the first loop is taken. □ 

We will now see that also simple properties on flat counter systems, such 
as reachability can be proved to be already NP-hard. First we note that, 
a path schema in CVS can also be seen as a flat counter system with the 
additional condition of taking each loop at least once. For any state q, we 
write confo(q) to denote the configuration (q, (0, ■ • • ,0)) (all counter values 
are equal to zero). The reachability problem REACH (C) for a class of counter 
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Figure 7: A simple path schema 

system C is defined as: 

Input: A counter system S £ C and two states go an d qf, 
Output: Does there exist a finite run from confo(qo) to conf (qf)7 

We have then the following result concerning the lower bound of reachability 
in flat counter systems and path schemas from flat counter systems. 

Lemma 4.10. REACH(CPS) and REACHES) are NP-hard. 

Proof The proofs are by reduction from the SAT problem. Using the 
fact that CVS is a special and constrained CJ^S, we will only prove NP- 
hardness of KEACH(CVS) and hence, as a corollary, have the result for 
REACH(CJ-\S). Let $ be a Boolean formula built over the propositional 
variables AP = {pi, ■ ■ ■ ,p n }. We build a path schema P such that $ is sat- 
isfiable iff there is a run respecting P starting with the configuration conf (q ) 
visits the configuration conf (qf). The path schema P is the one described 
in Figure [7] so that the truth of the propositional variable pi is encoded by 
the fact that the loop incrementing Xj is visited at least twice. The guard g is 
defined as a formula that establishes the correspondence between the truth 
value of pi and the number of times the loop incrementing Xj is visited. It is 
defined from $ by replacing each occurrence of Pi by Xj > 2. Note that, since 
the i th and (n+i) th loops perform the complementary operation on the same 
counters, both of the loops can be taken equal number of times. 

Let us check the correctness of the reduction. Let v : AP — > {T, _L} be 
a valuation satisfying $. Let us consider the run p respecting P such that 
iterp(p)[i] = k and iterp(p)[n + i] = k for some k > 2, if v(pi) = T, otherwise 
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iterp(p)[i] = 1 and iterp(p)[n + i] = 1 for all % G [l,n]. It is easy to check 
that the guard g is satisfied by the run and taking i th loop and (n + i) th loop 
equal number times ensures resetting the counter values to zero. Hence the 
configuration confo(qf) is reachable. Conversely, if there is a run p respect- 
ing P and starting with configuration con /o(?o) such that the configuration 
confo(qf) is reachable, then the guard g ensures that the valuation v satisfies 
$ where for all i G [1, n], we have v(pi) = T 4=> iterp(p)[i] > 2. □ 

5. Characterizing Infinite Runs with a System of Equations 

In this section, we show how to build a system of equations from a path 
schema P and a configuration cq such that the system of equations encodes 
the set of all runs respecting P from Cq. This can be done for path schemas 
without disjunctions in guards that satisfy an additional validity property. A 
path schema P = pilfp2l£ ■ ■ -Ph^t * s valid whenever it satisfies the conditions 
below: 

1. effect(l k ) > 0, 

2. if all the guards in transitions in 4 are conjunctions of atomic guards, 
then for each guard occurring in the loop 4 of the form £\ djXj ~ b with 
~G {<,<} [resp. with ~G {=}, with ~G {>,>}] , we have aj x 
effect{l k )[i] < [resp. J2 t a t x e ff ect ( l kM = 0, a i x effect) [i] > 0]. 

It is easy to check that these conditions are necessary to visit the last loop 4 
infinitely. More specifically, if a path schema is not valid, then no infinite run 
can respect it. Moreover, given a path schema, one can decide in polynomial 
time whether it is valid. Note that below we deal with path schemas P that 
are not necessarily minimal. 

Now, let us consider a (not necessarily minimal) valid path schema P = 
P1I1P2I2 ■ ■ -Pklt (k — 1) obtained from a flat counter system S such that 
all the guards on transitions are conjunctions of atomic guards of the form 
J2 i aiXi ~ b where aj G Z, b G Z and ~G {=, <,>,<, >}. Hence, disjunctions 
are disallowed in guards. The goal of this section (see Lemma 15.11 below) is 
to characterize the set iterp(co) C for some initial configuration cq as 
the set of solutions of a constraint system. For each loop li, we introduce 
a variable y^, whence the number of variables of the system/formula is pre- 
cisely k — 1. A constraint system £ over the set of variables {yi,---,yn} 
is a quantifier-free Presburger formula built over {y 1; . . . ,y n } as a conjunc- 
tion of atomic constraints of the form £\ ~ b where a^, b G Z and 
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~G {=,<,>,<,>}. Conjunctions of atomic counter constraints and con- 
straint systems are essentially the same objects but the distinction in this 
place allows to emphasize the different purposes: guard on counters in oper- 
ational models and symbolic representation of sets of tuples. 

Let us build a constraint system £ defined from P that characterizes the 
set iterp(c ) included in N fc_1 for some initial configuration c = (<7o> v o)- 
For all a G [1, k] and all i G [1, n], we write effect (I a )[i] to denote the term 
below: 

vo [i] + (effect(pi) H h effect(p a ))\i] + effect(h) [i]yi + . . . + effect(l a -i) [i]y a -i 

It corresponds to the value of the counter i just before entering in the loop 
l a . Similarly, for all a G [l,fc] and all % G [l,n], we write effect ^Pq)^] to 
denote 

vo[«] + (e#ec£(pi)H \-effect(p a - 1 ))[i\ + effect(l 1 )[i]y 1 +. . ■+effect(l a ^ 1 )[i\y a ^ 1 

It corresponds to the value of the counter i just before entering in the segment 
p a . In this way, for each segment p in P (either a loop or a non-loop segment) 
and each (3 G [0,len(p) — 1] the term below refers to the value of counter i 
just before entering for the first time in the (/3 + l)th transition of p: 

ejject < (p)[i\ + effect(p[0]---p[(3-l])[i\ 

Similarly, the value of counter i just before entering for the last time in the 
(j3 + l)th transition of l a is represented by the term below: 

effec^ipM + effect{l a )[{\{y a - 1) + effect(l a [0] ■ ■ ■ l a \j3 - l])[i] 

The set of conjuncts in £ is defined as follows. Each conjunct corresponds 
to a specific constraint in runs respecting P. 

S\\ Each loop is visited at least once: 

yi > 1 A • • • A y fc _i > 1 

£2' Counter values are non-negative. Let us consider the following con- 
straints. 
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• For each segment p and each (3 G [0, len(p) — 1] , the value of counter 
i just before entering for the first time in the ((3 + l)th transition 
of p is non-negative: 

effec^ipM + effect(p[0] ■ ■ -p[(3 - l])[i] > 

The segment p can be either a loop or a non-loop segment. 

• For each a G [1, k — 1] and each (3 G [0, len(l a ) — 1], the value of 
counter i just before entering for the last time in the (/3 + l)th 
transition of l a is non-negative: 

effect< (Q [i] + e#eci (Z a ) [i] (y a - 1) + effect (l a [0] • • • l a \J3 > 

Convexity guarantees that this is sufficient for preserving non-negativity. 

£ 3 : Counter values should satisfy the guards the first time when a transition 
is visited. For each segment p in P, each (3 G [0, len(p) — 1] and each 
atomic guard Yl% a i x i ~ & occurring in guard (p(j3)), we add the atomic 
constraint: 

atieffect^pM + effeet( P [0] ■ ■ - l])[i]) ~ 6 

i 

£i. Counter values should satisfy the guards the last time when a transition 
is visited. This applies to loops only. For each a G [l,k — 1], each 
(3 G [0, len(/ Q ) — 1] and each atomic guard £V a^Xj ~ 6 occurring in 
guard(l a (f3)), we add the atomic constraint: 

i 

No condition is needed for the last loop since the path schema P is 
valid. 

Now, let us bound the number of equalities or inequalities above. To do 
so, we write Aq to denote the number of atomic guards in P. 

• The number of conjuncts in S\ is k. 

• The number of conjuncts in £ 2 is bounded by 

len(P) x n + len(P) x n = 2n x len(P). 
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• The number of conjuncts in £ 3 [resp. £ 4 ] is bounded by len(P) x Aq. 

So, the number of conjuncts in £ is bounded by 2 x len(P) x (1 + n + Aq) < 
2 x len(P) x n(l + Aq). Since n, 1 + Aq < size(P), we get that this number 
is bounded by len(P) x 2 x size(P) 2 . 

Let K be the maximal absolute value of constants occurring in either in 
P or in Vo- Let us bound the maximal absolute value of constants in £. To 
do so, we start by a few observations. 

• A path segment p has at most len(P) transitions and therefore the 
maximal absolute value occurring in effect(p) is at most K x len(P). 

• The maximal absolute value occurring in effect** (p) is at most K + 
K x len(P) = K(l + len(P)). The first occurence of K comes from the 
counter values in the initial configuration. 

Consequently, we can make the following conclusions. 

• The maximal absolute values of constants in £ x is 1. 

• The maximal absolute values of constants in the first part of £2 is 
bounded by K(l + len(P)) + ATlen(P) < (K + l)(len(P) + 1). 

• The maximal absolute values of constants in the second part of £2 is 
bounded by K(l + len(P)) + iHen(P) + iHen(P) < 2(K + l)(len(P) + 
1). So, the maximal absolute values of constants in £ 2 is bounded by 
2(K + l)(len(P) + l). 

• The maximal absolute values of constants in £3 or £4 is bounded by 
nx K x 2(K + l)(len(P) + 1) + K. The last occurrence of K is due to 
the constant b in the atomic constraint. 

Consequently, the maximal absolute value of constants in £ is bounded 
by 2n x K(K + 2) x (len(P) + 1). When P is a minimal path schema, note 
that len(P) < 2 x card(A) < 2 x size(S') and k < card(Q) < size(S'). 

Lemma 5.1. Let S = (Q, C n , A, 1) be a flat counter system without disjunc- 
tions in guards, P = • • • Pk^t be one of its valid path schemas and Cq 
be a configuration. One can compute a constraint system £ such that 

• the set of solutions of £ is equal to iterp(co), 
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• £ has k — 1 variables, 

• £ has at most len(P) x 2 x size (P) 2 conjuncts, 

• the greatest absolute value from constants in £ is bounded by 2n x 
K(K + 2) x (len(P) + 1). 

Proof The constraint system £ is the one built above. 

(*) Let p = (q , Vo)(?i, Vi)(g , 2 , v 2 ) • • • be an infinite run respecting the 
path schema P with c = (qo, v ). We write 1/ : {y l5 . . . , y^^i} — >■ N to denote 
the valuation such that for every a G [1, k — 1], we have V(y a ) = zterp(p)[Q;]. 

is extended naturally to terms built over variables in {yi, . . . , y^-i}, the 
range becoming Z. Let us check that V \= £. 

1. Since p respects P, each loop /; is visited at least once and therefore 

2. We have seen that the value below 

V(effect<(p)[{\ + effect(p[0] ■ ■ -p[(3 - !])[{[) 

is equal to the value of counter i just before entering for the first time 
in the (/? + l)th transition of p. Similarly, the value below 

V '(effect* (LM + effect(l a )[i](y a - 1) + effect(l a [0} ■ ■ ■ l a \j3 - l])[i]) 

is equal to the value of counter i before entering for the last time in the 
(/3+l)th transition of l a . Since p is a run, these values are non-negative, 
whence V \= £2- 

3. Since p is a run, whenever a transition is fired, all its guards are satis- 
fied. Hence, for each segment p in P, for each j3 G [0, len(p) — 1] and 
each atomic guard £\ a^Xj ~ 6 G guard(p(j)), we have 

^ a,y(e# eC ^(p)[z] + e#ect(p[0] • • - l])[i]) ~ b 

i 

Similarly, for each a G [l,fc — 1], each j3 G [0,len(/ a ) — 1] and each 
atomic guard J2i a « x i ~ ^ G guard(l a (/3)), we have 

^a i y(e^ < (g[i]+e^(g[i](y a -l)+e^e C ^ Q [0]---/ a [^-l])[i]) ~& 
Consequently, V \= £3 A £4. 
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(**) It remains to show the property in the other direction. 
Let V : {yi, . . . , y^-i} — > N be a solution of £. Let 

and let us build an a>-sequence p' = (qo, xo)(<7i, Xi)(g2, X2) ■ ■ ■ 6 (Q x Z™) w , 
that will be later shown to be an infinite run respecting the path schema P 
with c = (go> v o)- Here is how p' is defined (note that the definition does 
not assume that p' needs to be a run): 

• For every % > 0, g« = source(w(i)), 

• x = v and for every i > 1, we have x ; = x ; _! + update (w(i)). 

In order to show that p' is an infinite run respecting P, we have to check 
three main properties. 

1. Since V \= £2, for each segment p in P and each /3 G [0,len(p) — 1], 
counter values just before entering for the first time in the (/3 + l)th 
transition of p are non-negative. Moreover, for each a G [l,k — 1] 
and each j3 G [0,len(/ a ) — 1], counter values just before entering for 
the last time in the (j3 + l)th transition of l a are non- negative too. 
We have also to guarantee that for j G [2, V(y a ) — 1], counter values 
just before entering for the jth time in the (f3 + l)th transition of 
l a are non- negative. This is a consequence of the fact that if z,z + 
V(y a )effect(l a ) > 0, then for j G [2, V(y a ) - 1], we have z + j x 
effect{l a ) > (convexity). Consequently, for i > 0, we have Xi > 0. 

2. Similarly, counter values should satisfy the guards for each fired tran- 
sition. Since V \= £3, for each segment p in P, each j3 G [0,len(jo) — 1] 
and each atomic guard Y2i a i x i ~ b £ guard(p(j)) , counter values sat- 
isfy it the first time the transition is visited. Moreover, since V |= £3, 
for each a G [l,k — 1], each j3 G [0,len(/ a ) — 1] and each atomic 
guard X]j a « x « ~ b <E guard(l a ({3)) occurs, counter values satisfy it the 
first time the transition is visited. However, we have also to guar- 
antee that for j G [2, V(y a ) — 1], counter values just before entering 
for the jth time in the (f3 + l)th transition of l a , all the guards are 
satisfied. This is a consequence of the fact that if J2i a i z [i] ~ b and 
J2i a i( z + V(Ya)effect(l a ))[i\ ~ b, then for j G [2, V(y a ) - 1], we have 
J^^a^z + j x effect (I a)) [i] ~ b (convexity). Hence, p' is a run starting 
at c . 
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3. It remains to show that p' respects P. Since p' is a run (see (1) and (2) 
above), by construction of p', it respects P thanks to V \= E\. Indeed, 
by definition, each loop has to be visited at least once. 

□ 

6. From One Minimal Schema to Several Schemas 

Given a flat counter system S = (Q, C n , A, 1), a configuration Co = (qo, v o) 
and a minimal path schema P starting from the configuration Co, we build a 
finite set Y P of path schemas such that 

1. each path schema in Yp has transitions without disjunctions in guards, 

2. existence of a run respecting P is equivalent to the existence of a path 
schema in Yp having a run respecting it, 

3. each path schema in Y P is obtained from P by unfolding loops so that 
the terms in each loop satisfy the same atomic guards. 

Moreover, we shall see how the cardinal of Y P is at most exponential in the 
size of P. Note that each path schema in Yp comes with an implicit counter 
system (typically containing exactly the states and transitions occurring in 
the path schema). So, below, we explain how we could get rid of disjunctions. 
Note also that disjunctions can be easily eliminated at the cost of adding new 
transitions between states but this type of transformation may easily destroy 
flatness. That is why, we shall follow a different path. 

6.1. Term maps 

Before defining Yp, let us introduce a few definitions. Let B be a finite 
non-empty set of integers containing all the constants b occurring in guards 
of S of the form t ~ b and T be a finite set of terms containing all the terms t 
occurring in guards of S of the form t ~ b. Assuming that B = {pi, . . . , b m } 
with b\ < ■ ■ ■ < b m , we write I to denote the finite set of intervals / = 
{(-oo, h - 1], [6i, 6i], [bi + l,b 2 - 1], [b 2 , b 2 \, ■ ■ ■ , [b m , b m ], [b m + 1, oo)} \ {0}. 
Note that [bj + — 1] = if b j+ i = bj + 1. Note that / contains at 

most 2m + 1 intervals and at least m + 2 intervals. We consider the natural 
linear ordering < on intervals in / that respects the standard relation < on 
integers. A term map m is a map m : T — > I that abstracts term values. 
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Definition 6.1. Given a loop effect u G Z n ; we define the relation -< u such 
that m ^ u m' 4^ for every term t = ^ a^Xj G T ; we have 

• m(t) < m'(t) i/EiO<«[*] > °> 

• m(t) > m'(t) i/E^u^] < 0, 

• m(t) = m'(t) ifY^i a i u [i\ = °- 

We write m -< u m' whenever m m' and m 7^ m'. 

Sequences of strictly increasing term maps have bounded length. 

Lemma 6.2. Let u G Z" and mi -< u m 2 -< u •■■ -<„ m / . TTiera, L < 
card(J) x card(T) < 2 x card(T) x card(S) + card(T) . 

Proof Given a term map m and a term t, m(t) can obviously take one of 
the card(J) values from I. For each term t, 

(increasing) either m^t) ;< u • • • ;< u m^(t) 
(decreasing) or m L (t) ^ u • • • ^ u m^t). 

Also, there are card(T) number of terms. Hence, the number of different maps 
that are either decreasing or increasing can be card(T) x card(J). Again, we 
know that card(J) < 2 x card(-B) + 1. Hence, L, the number of different term 
maps in a sequence which is either increasing or decreasing, can be at most 
card(J) x card(T) < 2 x card(T) x card(£) + card(T). □ 

Given a guard g using the syntactic resources from T and B, and a term 
map m, we write rahg with the following inductive definition: 

• m h t = b 4$ m(t) = [b, b]; 

• m\- t <b 4$ m(t) C (-00, b]; 

• m h t > b U m(t) C [b, +00), 

• m h t < b 4$ m(t) C (-00, b); 

• m h t > b U m(t) C (6, +00), 

• m h gi A g 2 4$ mhgi and m h g 2 ; 

• m h gi V g 2 m h gi or m h g 2 . 
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The relation h is nothing else than the symbolic satisfaction relation 
between term values and guards. Since term maps and guards are built over 
the same sets of terms and constants, completeness is obtained as stated in 
Lemma 16.3( H) below. Furthermore, Lemma 16.3( 1) states that the relation h 
is easy to check. 

Lemma 6.3. 

(I) rahg can be checked in PTime in size(m) + size(g). 

(II) m h g iff for all v : {xi, X2, • • ■ , x n } — > N and for all t £ T, v(t) G m(t) 
implies v \= g. 

It is worth noting that size(m) is in 0(card(7) x card(T)). 



(I) For the PTlME algorithm we follow the following steps. First, for each 
constraint t ~ b appearing in g, we replace it either T (true) or _L (false) 
depending whether m h t ~ b or not. After replacing all constraints, 
we are left with a positive Boolean formula whose atomic formulae are 
either T or 1. It can be evaluated in logarithmi c sp ace in the size of 
the resulting formula (less than size(g)), see e.g. [26]. 




Note that given a term map m and a constraint t ~ b : checking m h 
t ~ b amounts to checking the containement of interval m(t) in a 
specified interval depending on ~. This can be achieved by comparing 
the end-points of the intervals, which can be done in polynomial time 
in size(t) + size(m). As the number of constraints is also bounded 
by size(g), the replacement of atomic constraints can be performed in 
polynomial time in size(m) + size(g). Thus, the procedure completes 
in time polynomial in size(m) + size(g). 

(II) Consider that rahg and some v : {x l5 x 2 , • • • , x„} — > N such that v(t) 
lies in the interval m(t) for each term t G T. Now we prove inductively 
on the structure of g that v \= g. 

— Base Case: As base case we have arithmetical constraints of the 
guard. Consider the constraint is of the form t < b. Since, rahg, 
we have that m(t) C (—00, b]. Since, v (t) lies in the interval m(t), 
v(t) G (—00,6]. Note that, in this case v \= t < b. Similarly, for 



Proof 
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other type of constraints t ~ b, observe that if v(t) G m(t) then 
v(t) lies in the interval specified in the definition of h and thus, 
v |= t ~ b. 

— Inductive step: The induction step for A and V, follows easily. 

On the other hand, consider some valuation v with v(t) G m(t) for each 
t G T and v \= g. Similar to above, we will use inductive argument to 
show that rahg 

— Base Case: Again consider arithmetical constraints of the guard. 
Specifically, we consider constraints of the form t > b. As v \= 
t > b, we know that v(t) G [b, +00). Since, v(t) G m(t), we 
have that, m(t) C [6, +00). Hence, m h t > b. Similarly, for 
constraints of other forms t ~ b, v(t) lies in the interval exactly 
specified in the definition of h. Thus, m h t ~ b. 

— Inductive step: Again, the induction step for A and V follows 
easily. 

□ 

A resource R is a triple (X, T, B) such that X is a finite set of propositional 
variables, T is a finite set of terms and B is a finite set of integers. Without 
any loss of generality, we assume that all these sets are non-empty in order to 
avoid treatments of (easy) particular cases. A formula <p £ PLTL[C] is built 
over R whenever the atomic formulae are of the form either p G X or t ~ b 
with t G T and b G B. A footprint is an abstraction of a model for PLTL[C] 
restricted to elements from the resource R. More precisely, a fooprint ft is of 
the form ft : N — > 2 X x I T where / is the set of intervals built from B, whence 
the first element of ft(i) is a propositional valuation and the second one is 
a term map. The satisfiability relation |= involving models or runs can be 
adapted to footprints as follows where formulae and footprints are obtained 
from the same resource R: 

• ft,i KymbP U p G 7Ti(ft(i)), 

• ft, i |= sym b t > b U 7T 2 (ft(i))(t) C [b, +00), 

• h,i |= symb t < b U 7T 2 (ft(i))(t) C (-00,6], 

• ft, i |=symb X</> 4$ ft, % + 1 Kymb 0) 
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• ft, z |= sym b there is j > i such that ft, j |= sym b ip and for 
/ G - 1], we have ft, j' |= symb 0. 

We omit the clauses for Boolean connectives, past-time operators and other 
arithmetical constraints since their definitions are as expected. Actually, 
|=symb is exactly the satisfaction relation for plain Past LTL when arithmetical 
constraints are understood as abstract propositions. 

Definition 6.4. Let R = (X, T, B) be a resource and p = (go, Vo), (<7i, Vi) • • • 
be an infinite run of S . The footprint of p with respect to R is the footprint 
ft(p) such that for i > 0, we have ft(p)(i) = (l(qi) PI X, nij) where for every 
term t = J^. ajXj G T, we have ^ ■ %Vi[j] G mj(t). 

Note that ^ ■ OjVi[j] belongs to a unique element of / since I is a partition 
of Z. Hence, Definition 16.41 makes sense. Lemma 16.61 below roughly states 
that satisfaction of a formula on a run can be checked symbolically from 
the footprint (this turns out to be useful for the correctness of forthcoming 
Algorithm [T]) . 

Lemma 6.5. Let R = (X, T, B) be a resource, p = (q , v ), (qi, Vi) • • • be an 
infinite run, i > be a position and be a formula in PLTL[C] built over R. 
Then p,i\= (j) iffft(p),i \= symb (j). 

Proof The proof is by structural induction. 

• Base Case 1 (pG X): we have the following equivalences: 

- P, i (= P, 

- p G l(qi) (by definition of |=), 

- p G 7Ti(ft(i)) (by definition of ft(p)), 

- ft(p),i HsymbP (by definition of hsymb)- 

• Base Case 2 (J^ • OjXj < 6 with ^ . Oj-Xj G T and b £ B): we have the 
following equivalences: 

- JM 1= Ej a i x i ^ & ' 

~~ a i v i[i] — ^ (by definition of |=), 

- 7r 2 (ft(i))(m.i(J2j a j*j)) ^ (-co, 6] (by definition of ft(p)), 

- ft(p),z hsymb Y.j a i x j < b ( b y definition of |= symb ). 
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The base cases for the other arithmetical constraints can be shown 
similarly. 

• For the induction step, by way of example we deal with the case <fi = Xip 
(the cases for the Boolean operators or for the other temporal operators 
are analogous). We have the following equivalences: 

- P, i h= xv>, 

— p,i + 1 \= ifj (by definition of |=), 

— ft(p), i + 1 |= S ymb i> (by induction hypothesis), 

- ft(p),i hsymb (by definition 

□ 

As a corollary, we obtain. 

Lemma 6.6. Let R = (X, T, B) be a resource and p and p' be two infinite 
runs with identical footprints with respect to R. For all formulae built over 
R and positions i > 0, we have p,i \= <f> iff p' ,i \= 0. 

Given a minimal path schema P = PxlXv^t ■ ■ ■ Pk^t an d a run P respecting 
P, ft(p) (with respect to a resource R = (X, T, B)) is an ultimately periodic 
word that can be written of the form w ■ u u where len(tt) = len(/fc). Note 
that P denotes also a class of ultimately periodic words but over a different 
alphabet. 

6.2. Unfolding 

Let R = (X, T, B) be a resource and P = pilfp2lt ■ ■ - Pkl% be a minimal 
path schema. In order to define the set of path schemas Yp, we need to 
define other objects such as guards (from the set G*(T, B, U) defined below), 
control states (from the set Q' = Q x I T ), transitions from the set A' defined 
below and using G*(T, B, U), Q' and other objects from P. 

Let Ap be the set of transitions occurring in P and Q' be Q x I T . Given 
t = J2j a j x j £ T, u E Z n and a term map m, we write ip(t, u, m(t)) to 
denote the formula below (b, b' e B): 

• ^(t, u, (-oo, b]) = J2j S( x i + u 0')) < 

• ^(t, u ? +°°)) = Ej %( x i + u (i)) > ^ 

. ^(t, u, [6, 6']) d = f ((E, %(x, + u(j)) < b>) A ((E, %(x, + u(j)) > &). 
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The formulae of the form ip(t, u,int), where int G / have been designed 
to satisfy the property below. 



Lemma 6.7. Let v : {xi, . . . ,x Tt } — > N and v' : {xi, . . . ,x n } — > N be such 
that for every i G [1, n], u'(xj) = i>(xj) + u(i). For every interval int G /, for 
every term t G T, v |= -0(t, u,int) iff v'(t) G mi. 

The proof is by an easy verification. 

We write G*(T, -B, [/) to denote the set of guards of the form ip(t, u, m(t)) 
where t G T, U is the finite set of updates from F and m : T — )■ /. Each 
guard in G*(T, B, U) is of linear size in the size of P. 

We define A' as a finite subset of Q' x A P x G*(T, S, [/) x ?7 x Q' such 

that for every (g, m) '^ Sm '' > (q', m') G A', the conditions below are satisfied: 

• q = source(5) and q' = target(S), 

• g m / is a guard that states that after the update u, for each t G T, its 
value belongs to m'(t). g m / is equal to /\ teT ip(t, u, m(t)) 

• Term values belong to intervals that make true guard(5), i.e. m h G(5). 

• u = update(5). 

We extend the definition of source (S) to 5' = (q, m) -1™21I4 m ') e A'. 
We define source((5') = (g, m) and target(5') = (q',m'). Similarly for a 
finite word w G (A')*, we define source(w) = source(w(l)) and target (w) = 
target(w(\en(w))). 

We define skeletons as slight variants of path schemas in Yp with slight 
differences explained below. A skeleton (compatible with P and (go, Vo)) sk, 

5i,(g^,,ui> <5 2 ,<g^,,U2> <5K,<g^,,UK) 

say (gi,mi) > (?2,m 2 ) >■ (g 3 ,m 3 ) >■ (g K+1 , m^ +1 ), 

is a finite word over A' such that 

(init) For every term t = ajXj G T, we have ^) . ajV [j] G m^t) where 
v is the initial vector. 

(schema) Let / : (A')* ->■ A* be the map such that f(e) = e, f(w ■ w') = 

f(w)-f(w') and/((g, m) <5 '^ Sm '' U ^ (g',m')) = 5. We require that /(sk) G 

Pilfp 2 lt ■ ■ -Pklt- 
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(minimality) For every factor w = (qj,mj) — — > (qi+i, m/+i) ■ • • 

1 (qj, mj) of sk such that f(w) = (I) 3 for some loop I 

of P (therefore J = I + 3 x len(Z)), there is a G [l,len(/)] such that 

m J+a ~<effect(l) m 7+a+2xlen(7) • 

(last-loop) For the unique suffix w of sk of length len(Zfc), we have f(w) = l k 
and source(w) = target(w). 

Lemma 6.8. For a skeleton sk, len(sk) < (len(pi) + • • • + len(pfc)) + 2 x (2 x 
card(T) x card(P) + card(T)) x (len(Zi) + • • • + len(/ fc )) 



Proof Since /(sk) G Pl lfp 2 lt ■ ■ let /(sk) = p l l n l 1 p 2 l n 2 2 . . .p k l n k k for 

some ni, . . . ,nfc > 1. We have len(sk) < (len(pi) + - • ■ + len.(pk)) +max(rii) x 
(len(/i) + • • • + len(4)). It remains to bound the values ni, . . . , n k - For each 
factor w of sk such that f(w) = (k) ni with i G [l,fc], by the (minimality) 
condition and Lemma 1^2^ we conclude that rij < 2 x (2 x card(T) x card(S) + 

card(T)). Consequently, len(sk) < (len(px)H hlen(p fc ))+2x (2xcard(T) x 

card(5) + card(T)) x (len(Zi) + ■ • • + len(/ fc )). □ 

From skeletons, we shall define path schemas built over the alphabet 
Q' x G*(T, B,U) x U X Q' (transitions are not anymore formally labelled by 
elements in Ap; sometimes we keep these labels for convenience). As for the 
definition of /, let A be a finite subset of (Q' x G*(T, B,U) x U x Q') and 
let h : (A')* — > (A)* be the map such that h(e) = e, h(w ■ w') = h(w) ■ h(w') 

and h((q, m) '^ Sm/ ' \ (q',m')) = (q,m) ^ Sm '' \ (q',m'). This time, elements 
of Ap are removed instead of being kept as for /. Given a skeleton sk, we 
shall define a path schema P sk = p'i(^i) + ^2(^2) + • • -P'k'^'k'Y sucn that /i(sk) = 
■ ■ -Pk'^k'- H ence ) skeletons slightly differ from the path schemas. It 
remains to specify how the loops in P sk are identified. 

61, (g 1 ,,u/> 5j_ 1 ,(g J 7 1 ,u J _ 1 ) 

Every factor w = (qi, m/) > (q I+1 , m I+1 ) > (qj, mj) 

of sk such that 

1. f(w) = I for some loop / of P, 

2. w is not the suffix of sk of length len(4), 

3. the sequence of the len(Z) next elements after w is also equal to w, 

is replaced by (h(w)) + . Finally, l' k , is equal to h(w) where w is the unique 
suffix of sk of length len(^). Note that the path schema P sk is unique by 
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the condition (minimality). Indeed, there is no factor of sk of the form w 3 
such that f(w) = I for some loop / of P. As far as the labelling function is 
concerned, the labels of q and (q, m) are identical with respect to the set X, 
i.e. l%m)) = l(g)nX, Hence, 

1. k' < k x (2 x card(T) x card(iT) + card(T)), 

2. len(P sk ) < (len(pi) + • • • + len(p fc )) + 2 x (2 x card(T) x card(AT) + 
card(T)) x (len(Zi) + • • • + len(/ fc )), 

3. P sk has no guards with disjunctions. 

Note that construction of a path schema from a skeleton, cannot be done 
by simply taking the path segments as before and the copies of the loop 
segments as alternating path and loop segments in the new path schema. For 
example consider this system with one counter x, I — {(— oo, — 1], [0, 0], [1, 1], 
[2,2], [3, oo)} and T= {x + 1}. 

In Figure [HI 

• Pi{l\) + l'i{li) + li{li) + P2{h) U3 does not have any valid run respecting it as 
a path schema, as the loops l\ , If cannot be taken even once in any run. 

• P2{h) bJ has a valid run respecting it as a path schema. But, 
here all the unfoldings of the loop l\ are taken as path segments. 

We write Yp to denote the set of unfolded path schemas obtained from P 
with respect to R. A skeleton is compatible with P whenever its corresponding 
path schema belong to Yp. 

Lemma 6.9. Checking whether a word w G (Q' x A x G*(T, B, U) x U x Q')* 
is a skeleton compatible with P and (qo, v ) assuming that len(tw) < (len(pi) + 
••• +len(j? fc ))+2(2xcard(T) x card(S) + card(T)) x (len(Zi) + • • • +len(l k ) ) 
can be done in polynomial time in the size of (qo, Vo), P, T and B. 

Proof Let w be a word over Q' x A P x G*(T, B,U)xU xQ' whose length is 

bounded by (len(pi) H h \en(p k )) + 2(2 x card(T) x card(S) + card(T)) x 

(len(/i) + • • • + len(Zfc)). Let be the sum of the respective sizes of (go, Vo), 
P, T and B. Since the length of w is bounded, its size is also polynomial in 
N. 

Checking whether an element in Q' x Ap x G*(T, B,U) x U x Q' belongs 
to A' can be done in polynomial time in Af thanks to Lemma [6.3( 1). Hence, 
checking whether w belongs to (A')* can be done in polynomial time in A^ too 
since its length is also polynomial in N. It remains to check the conditions 
for skeletons. 



42 



T,+l 




Figure 8: A path P and two unfolded path schemas in Yp 
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• Condition (schema) can be checked by building first f(w) (this re- 
quires linear time in N) and then by checking whether it belongs to 
PiltP^t ■ ■ -Pk^t (requires also linear time in N). 

• Condition (last-loop) can be checked by extracting the suffix of w of 
length len(Zfc). 

• Condition (minimality) can be checked by considering all the factors 
w' of w (there are less than len(u>) 2 of them) and whenever f(w') = I 3 
for some loop I, we verify that the condition is satisfied. All these 
operations can be done in polynomial time in N. 

• Finally condition (init) is also easy to check in polynomial time in N. 

□ 

The main property about Yp is stated below. 
Proposition 6.10. 

(I) Let p be an infinite run respecting P and starting at (q , v ) . Then, there 

is a path schema P' in Yp and an infinite run p' respecting P' such that 
ft(p)=ft(p'). 

(II) Let p be an infinite run respecting P' for some P' G Yp. Then, there is 
an infinite run p' respecting P such that ft(p) = ft(p'). 

Proof (I) Let p = (q , v ) % (qi, Vi) -V • ■ • be an infinite run respecting P 
with footprint ft(p) : N — > 2 AT x I T . We write (Zj, oij) to denote ft(p)(i). In 
order to build p' and P', first we enrich the structure p and then we define a 
skeleton from the enriched structure that allows us to define P'. The run p' 
is then defined from p so that the sequences of counter values are identical. 
From p, we consider the infinite sequence below: 

, , <5o,(gmi ,update(8o)) 8i,(gm 2 ,update(5i)) 

w = (g , mo) > {Qi, mi) > • • • 

It is easy to check that w can be viewed as an element of (A') w where A' is 
defined as a finite subset of Q' x A P x G*(T, B,U) x U x Q' where U is the 
finite set of updates from P = pi(h) + P2(h) + • ■ • (lk-i) + Pk(lk) w ■ Moreover, 
we have f(w) E C(P), that is f(w) = pi(/i) ni p 2 (/ 2 ) n2 • • • (Z fc -i) n *- 1 p fc (Z fc ) w for 
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some rii, ... , n k-i > 1> From w, one can build a skeleton sk compatible with 
P and (go, v ). sk is formally a subword of w such that 



/(sk) = Pl (h)^p 2 (l 2 p ■ ■ ■ {l k -i) n '^p k {l ki 



with 1 < n'i < min(rii,2 x (2 x card(T) x card(5) + card(T)) for every 

1 e [1, k - 1] and 1 < n' fc < 2 x (2 x card(T) x card(5) + card(T)). We have 
w = w' ■ Wq ■ Wq ■ (u>o) w with f(wo) = l k . The skeleton sk is obtained from 
w' ■ Wq ■ Wq by deleting copies of loops as soon as two copies are consecutive. 
More precisely, every maximal factor of w'-Wq-Wq of the form (w*) with iV > 

2 such that f(w*) = U for some loop U of P, is replaced by (w*) 2 . This type of 
replacement can be done at most k x (2 x (2 x card(T) x card(i?) +card(T))) 
times. One can check thay sk is indeed a skeleton compatible with P and 
(lo^o)- Let us consider that sk can be written as 

Suig^nUl) 5 2,(g^,U 2 ) 5 K ,(gK n U K ) 

(gi,mi) > (<? 2 ,m 2 ) > W3,m 3 ) ► (g^ +1 ,m^ +1 ) 

Considering the path schema P sk built from sk, one can show that the se- 
quence p' below is an infinite run respecting P sk : 

,/ v , (Sm ll update(S )) ,, . . (gm 2 , update {Si)) 

(Wo,m ),v ) >- «gi,mi),vi) > ((g 2 ,m 2 ), v 2 ) ■ • • 

so that ft(p) = ft(p'). When entering in the last loop of P sk , counter values 
still evolve but the sequence of control states forms a periodic word made of 
the last len(Zfc) control states of sk. By construction of sk and P sk , it is clear 
that p and p' have the same sequences of counter values (they have actually 
the same sequences of updates) and by definition of the labellings, they have 
also the same sequences of sets of atomic propositions. It remains to check 
that p' is indeed a run, which amounts to verify that guards are satisfied but 
this is guaranteed by the way guards are defined and by the completeness 
result in Lemma [6.3( H). 

(II) Let p be some run respecting some P' G Yp of the form below: 

> , 6 Q ,{g mi , update (6 )) 6 1 ,(g m2 ,update(6 1 )) 

(Wo,m ), v ) > ((gi,mi), vi) > {{q 2 , m 2 ), v 2 ) ■ • • 

In the above run, we have decorated the steps by transitions from P as P' is 
defined from a skeleton in which transitions are decorated by such transitions. 
After a tedious verification, one can show that 

p' = (Qo, v ) ^ (gi,Vi) • • ■ 
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is a run respecting P such that ft(p) = ft(p'). Satisfaction of guards is 
guaranteed by the way A' is defined. The fact that p' respects P is even 
easier to justify since all the path schemas in Y P can be viewed as specific 
instances of P that differ in the way the term maps evolve. Details are 
omitted. 

□ 

Let P' = p'\{l'i) + ■ ■ ■Pk'(l'k') w be a path schema in Y P and p be a 

// v \ (gmp update (So)) (g m2 ,update(5 1 )) 

run ((g ,m ),Vo) > {{qi, mi), Vi) > {{q 2 , m 2 ), v 2 ) • • • 

respecting P'. It is easy to show that for i > 0, we have 7r 2 (ft(p)(i)) = nij 
and ft(p) is an ultimately periodic word of the form w ■ where len(-u) = 
len(/^,) = len(/ fc ) and len(w) = (len(pi) + ••• + len(p' fe ,)) + (iter P <{p)[l\ x 
len(/' 1 )+- • ■+iter P i(p)[k'— 1] xlen(/^,,_ 1 )). As seen previously, we have p, |= (ft 
iff ft(p), |= sym b (ft- We also define a function proj which associates to w G A u 
the w-sequence proj(w) : N — > 2 X x I T such that for all i e N, if w(i) = 
((q, m), g, u, (q', m')) and 1(g) flX = L then proj(w)(i) = (L, m). Now, we 
can state the main theorem about removing disjunction in the guards by 
unfolding of loops. It entails the main properties we expect from Y P . 

Theorem 6.11. Given a flat counter system S, a minimal path schema P , 
a set of terms T including those in P , a set of constants B including those in 
P and an initial configuration (qo, v ), there is a finite set of path schemas 
Y P , such that: 

1. No path schema in Y P contains guards with disjunctions in it. 

2. For every path schema P' G Y P , its length len(P') is polynomial in 
len(P) + card(T) + card(P). 

3. Checking whether a path schema P' belongs to Y P can be done in poly- 
nomial time in size(P) + card(T) + card(P). 

4. For every run p respecting P and starting at {qo, v ), we can find a run 
p' respecting some P' G Y P such that p \= (ft iff p' \= <ft for every (ft built 
over some resource (X, T, B) . 

5. For every run p' respecting some P' G Yp with initial counter values 
v 0; we can find a run p respecting P such that p \= <ft iff p' \= <ft for 
every (ft built over some resource (X,T, B). 

6. For every ultimately periodic wordw-u 1 ^ G C(P'), for every (ft built over 
R checking whether proj(u> • w w ),0 |= sym b <ft can be done in polynomial 
time in the size of w ■ u and in the size of (ft. 
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Proof Let Yp be the set of path schemas defined from the minimal path 
schema P. 

1. For every path schema in Yp, the guards on transitions are of the form 
f\ teT ip(t, u, m(t)) and each guard ip(t, u, m(t)) is itself an atomic 
guard and a conjunction of two atomic guards. Hence, no path schema 
in Yp contains guards with disjunctions in it. 

2. By Lemma 16.8} every skeleton defining a path schema in Yp has poly- 
nomial length in len(P) + card(T) + card(P). Each path schema in Yp 
has a linear length in the length of its corresponding skeleton. Con- 
sequently, for P' G Yp, its length len(P') is polynomial in len(P) + 
card(T) + card(P). 

3. Given a path schema P' in Yp, one can easily identify its underlying 
skeleton sk by removing iteration operators such as + and w (easy at 
the cost of keeping track of transitions from Ap). By Lemma 16. 9[ 
checking whether sk is compatible with P and (5oi v o) can be done in 
polynomial time in size(P) + card(T) + card(P). In particular, if sk is 
too long, this can be checked in polynomial time too. 

4. By Proposition 16.101 1). for every run p respecting P and starting at 
(q , Vq), there are P' G Yp and a run p' respecting P' such that ft(p) = 
h(p'). By Lemma ESI P \= § iff p' |= <$>■ 

5. Similar to (4.) by using Proposition 16. 10( 11) . 

6. We consider an ultimately periodic word w-u u G J--(P'). From it we can 
build in linear time the ultimately periodic word w' ■ u ,UJ = proj(u> • u u ) 
over the alphabet 2 X x I T and the size of the word w' [resp. u'\ is 
linear in the size of the word w [resp. w']. By [22], we know that 
w' ■ u ,UJ ,0 |= sym b <p can be checked in time 0(size((p) 2 x len(w/ • u')). 
Indeed, |= sym b is analogous to the satisfiability relation for plain Past 
LTL. 

□ 

7. Model-checking PLTL[C] over Flat Counter Systems 

In this section, we provide a nondeterministic polynomial-time algorithm 
to solve MC(PLTL[C],CJ-"<S) (see Algorithm [1]). To do so, we combine the 
properties of the general stuttering theorem for LTL with past-time operators 
(see Theorem 13. ip with small solutions of constraint systems. In Algorithm [1] 
below, we have chosen to perform the nondeterministic steps (guesses) at the 
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beginning of the algorithm only. Note that a polynomial p*(-) is used. Let us 
explain below how it is defined. Let S be a flat counter system, Cq = (go, Vq) 
be an initial configuration and <fi G PLTL[C]. Let iV = size(S') + size((go, v o)) 
+ size(0). Let P be a minimal path schema of S. We have: 

• len(P) < 2 x card(A) < 2N , 

• nbloops(P) < card(Q) < N. 

Let T be the set of terms t occurring in S and in guards of the form 
t ~ b. We have card(T) < size (5) + size(0) < N. Let B be the set of 
constants b occurring in S and cj) in guards of the form t ~ b. We have 
card(P) < size(S') + size(0) < N. Let R = (X,T,B) be the resource such 
that X is the finite set of propositional variables occurring in 0. 

Let MAX be the maximal absolute value of a constant occurring in S, 
<f), Vo (either as an element of B or as a coefficient in front of a counter as a 
value in v ). We have MAX < 2 N . 

Now, let P' be a path schema in Yp with P' = Pi{h) + P2{h) + • • 'Pkih)^- 
Since len(P') < (len(pi) + • ■ ■ + len(p fe )) + 2 x (2 x card(T) x card(P) + 

card(T)) x (len(Zi) H hlen(/ fc )), we have len(P') < 5 x card(T) x card(P) x 

len(P) < 5A^ 3 . Similarly, nbloops(P') < 5A^ 3 . The number of guards occur- 
ring in P' is bounded by len(P') x 2 x card(T) < 10 x iV 4 . The maximal 
constant MAX' occurring in P' is bounded by MAX + n x MAX 2 which is 
bounded by iV x 2 2xN . Let £ be the constraint system defined from P' . 

• The number of variables is equal to nbloops(P') which is bounded by 
5iV 3 . 

• The number of conjuncts is bounded by 2 x len(P') x n x (1 + N\) 
where N\ is the number of atomic guards in P' . Hence, this number is 
bounded by 2 x 5A^ 3 x iVx (1 + 10 x iV 4 ) < 110A^ 8 . 

• The greatest absolute value from constants in £ is bounded by n x 
nbloops(P') x (MAX') 4 x len(P') 3 , which is bounded by iV(5iV 3 )(iV x 
2 2xN ) A x 5 3 iV 9 < 625 x iV 17 x 2 8xN . 

Let us show that £ A ipx A • • • A ipk-i admits a small solution using the 
theorem below for any if)i A • • • A tpk-i built from Algorithm [TJ 

Theorem 7.1. /5/ Let M G [-M, M] UxV and b G [-M, M] u , where U,V,M G 
N. If there isx<E~N v such that Mx > b, then there is y G [0, (max{V, M}) cu ] v 
such that Aiy>b, where C is some constant. 
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By Theorem 17. 1\ £ A ijji A • • • A ipk-i has a solution iff £ A "0i A • • • A V'fc-i 
has a solution whose counter values are bounded by 

(625 x iV 17 x 2 8xAr ) Cx2x ( 110xiv8+5xiv3 ) 

which can be easily shown to be bounded by 2 P *^ for some polynomial 
£>*(■) (of degree 9). This is precisely, the polynomial p*(-) that is used in 
Algorithm [T] (for obvious reasons). In order to justify the coefficient 2 before 
110, note that any constraint of the form ^\ a^i ~ b with ~G {=, <, >, < 
, >} can be equivalently replaced by 1 or 2 atomic constraints of the form 

J2i a i)/i > b - 



Algorithm 1 The main algorithm in NP with inputs S, cq = (q, Vo), 4> 
1: guess a minimal path schema P of S 
2: build a resource R = (X, T, B) coherent with P and <f> 

3: guess a valid path schema P' = p\li P2^t ■ ■ ■ Pk^t such that len(P') < q*(\en(P) + 

card(T) + card(B)) 
4: guess y G [l,2td(4>) + hf' 1 
5: guess y' £ [1, 2P*( sizc ( ,s )+ size ( c °)+ sizc (^))] fe ~ 1 
6: check that P' belongs to Yp 

7: check that proj( Pl Zf [11 p 2 /^ [2] . . . l^Wjp, hsymb 4> 

8: build the constraint system £ over the variables yi, . . . , yk-i for P' with initial counter 
values Vo (obtained from Lemma [57lj) 

9: for i = 1 — > k — 1 do 
10: if y[i] = 2td(0) +5 then 
11: Vi "y* > 2id(^) + 5" 
12: else 

13: ft <- "y t = y[i]" 
14: end if 
15: end for 

16: check that y' |= £ A ipi A • • • A ipk-i 



Algorithm [T] starts by guessing a path schema P (line 1) and an unfolded 
path schema P' = P1I1P2I2 ■ ■ -P^t (line 3) and check whether P' belongs 
to Yp (line 5). It remains to check whether there is a run p respecting P' 
such that p \= cj). Suppose there is such a run p; let y be the unique tuple in 
[1, 2td((f>) + 5] fc_1 such that y ~2td(<f>)+5 iter pi (p). By Proposition 14.41 we have 

proj(pi/i P2I2 ■ ■ ■ vi~S*'jf)) Hsymb 4>- Since the set of tuples of the form 
iter p> (p) is characterized by a system of equations, by the existence of small 
solutions from [3], we can assume that iter pi (p) contains only small values. 
Hence line 4 guesses y and y' (corresponding to iter pi (p) with small values). 
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Line 6 precisely checks proj(pi/f P2I2 ■ ■ ■ ^-1 Pkl%)i Hsymb 4> whereas line 
11 checks whether y' encodes a run respecting P' with y' ~2td(0)+5 y- 

Lemma 7.2. Algorithm^ runs in nondeterministic polynomial time. 

Proof First, let us check that all the guesses can be done in polynomial 
time. 

• A minimal path schema P of S is of polynomial size with respect to 
the size of S. 

• The path schema P' is of polynomial size with respect to the size of P, 
<p and Co (Theorem 16.11( 2)). 

• y and y' are obviously of polynomial size since their components have 
values bounded by some exponential expression (values in y can be 
much smaller than the values in y'). 

Now, let us verify that all the checks can be in done in polynomial time too. 

• Both P and P' are in polynomial size with respect to the size of the 
inputs and checking compatibility amounts to verify that P' is an un- 
folding of P, which can be done in polynomial time (see Lemma [6. 9p . 

• Checking whether proj(pi^ P2Z2 • • • ^-1 Pk^k)i Hsymb 4> can be done 
in polynomial time using Theorem 16.11( 6) since pil* '^2^2 • • • 

Pkh is of polynomial size with respect to the size of P' and <j). 

• Building £ A ipi A • • • A ipk-i can be done in polynomial time since £ can 
be built in polynomial time with respect to the size of P' (see Section [5]) 
and ipi A • • - A ipk-i can be built in polynomial time with respect to the 
size of <p (td(<p) < size(0)). 

• y' |= £ A A • • • A ipk-i can be finally checked in polynomial time 
since the values in y' are of exponential magnitude and the combined 
constraint system is of polynomial size. 

□ 

It remains to check that Algorithm [1] is correct, which is stated below. 

Lemma 7.3. S,cq \= <p iff Algorithm [1\ on inputs S, Cq, (j) has an accepting 
run. 
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In the proof of Lemma 17. 'S\ we take advantage of all our preliminary results. 
Proof First, let us show that if Algorithm [T] on inputs S, Cq = (<?0j v o)) 4> 

has an accepting computation, then S, Co |= 4>. This means that there are P, 
P' i y> y' that satisfy all the checks. Let w = p\l\ ■ ■ -pfc-i^Ji Pklk anc ^ 
p = ((q ,m ), v )((gi,mi),Xi)((g 2 ,m 2 ),x 2 ) • • • G (Q 1 x Z n ) w be defined as 
follows: 

• For every i > 0, g« = 7Ti( source 

• Xo = Vo and for every i > 1, we have Xi = Xi_i + update (w(i)). 

By Lemma 15. 1[ since y' |= £ A ipi A • • • A V'fc-i) p is a run respecting P' 
starting at the configuration ((g , hi ), v ). Since y' \= i/ii A • • • A ipk-i and 
y |= "01 A- • -Atpk-i, by Proposition 14. 4^ the propositions below are equivalent: 

(*) proj( Pl Zf [1 Wf 1 • • • ifffSj^), |= symb 0, 

(**) projfalf [1] P 2/f 2] • • • ll'l^Pklt), hsymb 0. 

Line 6 from Algorithm[T]guarantees that pro](pil^ p 2 l%^ ■ ■ ■ l^-i^P^k)' ® Hsymb 
<f), whence we have (>J>3E<). Since proj(piif • • ■ ^Ji^'Wfc) = ft(p), by 

Lemma ESI we deduce that p,0 \= <f). By Theorem 16.11( 5). there is an infi- 
nite run p', starting at the configuration (q , v ) and respecting P, such that 

p',0| O. 

Now, suppose that S, Cq \= <fi. We shall show that there exist P, P', y, y' 
that allow to build an accepting computation of Algorithm [TJ There is a run 
p starting at Cq such that p, |= <fi. By Corollary 14. 'S\ p respects some mini- 
mal path schema of S, say P. By Theorem 16.11( 4). there is a path schema 
P' = P1I1P2I2 ■ ■ -Pklt i n Yp for which there is a run p' satisfying <fi. Further- 
more, since P' G Yp, len(P') < q*(len(P) + card(T) + card(I?)) for some poly- 
nomial q*{-)- From iterpi(p') G (N \ {0}) fc_1 , for every % G [1, k — 1], we con- 
sider ipi such that ipi is equal to yj = iter P i(p')[i] if iter P i(p')[i] < 2td(<p) + 5, 
otherwise ip^ is equal to > 2td(<p) + 5. Since P' admits at least one infinite 
run p' such that iterpt(p') satisfies ipi A - • • A ipk-ii the constraint system £ 
obtained from P' (thanks to Lemma [5TTj) but augmented with ifii A • • • A ipk-i 
admits at least one solution. Let us define y' G [1, 2P*( size ( s )+ size ( c o)+ size W)] fe - 1 
as a small solution of £ A ^1 A • • • A ^-1 and y G [1, 2td((p) + 5] fc_1 be de- 
fined such that for % G [l,fc — 1], y[i] = max(y'[i], 2td{4>) + 5). As shown 
previously, the bound 2 p *( slze ( 5 ) +slze ( c °) +slze( ^ is sufficient if there is a so- 
lution. Clearly, y' |= £ A ipi A • ■ • A So [1] p 2 ^' [2] • • • Jjfi^Wfc 
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generates a genuine run. Since ft(p') = proj(pi/^ ^2^2 ' 2 ' • • • ^ii ^Pk^t) ( see 
Lemma 16. 7p and since by Lemma 16. 5[ we have ft(p') |= sy mb 0, we get that 

proj(px/f ^Wsi • • • ^fc-i ^Pfc^fc), |= sym b This also implies that P' is valid. 
Hence 

proj( Pl l f ] p 2 lf ] . . . ft-V^),0 |= symb 

thanks to Proposition 14.41 Consequently, we have all the ingredients to build 
safely an accepting run for Algorithm [T] on inputs S, Cq, 0. □ 

As a corollary, we can state the main result of the paper. 
Theorem 7.4. MC(PLTL[C], CFS) is NP-complete. 

As an additional corollary, we can solve the global model-checking problem 
with existential Presburger formulae (we knew that Presburger formulae exist 
for global model-checking |9| but we can conclude that they are structurally 
simple and we provide an alternative proof). 

Corollary 7.5. Given a flat counter system S, a control state qo and a for- 
mula (ft G PLTL[C] one can effectively build an existential Presburger formula 
(J) that represents the initial counter values Vo such that there is an infinite 
run p starting at (qo,^o) such that p,0\= (p. 

It is sufficient to consider the formula below: 

V V 

minimal path schema P P'£Yp 

V 3 y x • • • y fc _! E' P , A -01 A • • ■ A ^ fc _i 

y s.t. fr(pi% [1] P2% l2] ...lt [ ^ 1] pklZ),0 Kymb <t> 

where the first generalized disjunction deals with minimal path schemas start- 
ing on qo, the third generalized disjunction deals with y G [1, 2td(<p) + 5] fe-1 . 
Note that £' P , is obtained from £pi by replacing initial counter values by free 
variables. 

7.1. The special case of path schemas with a single loop 

We have seen that MC(PLTL[C],CP£(fc)) is NP-hard as soon as k > 2. 
By contrast, we prove that MC(PLTL[C], CVS{1)) is in PTime by using the 
previous proof techniques. 



52 



Consider a path schema P = p.l u in a counter system with only one loop 
I. Due to the structure of P there exists at most one run p respecting P 
and starting from a given initial configuration cq. ft(p) (defined in Section 
[6]) is of the form u.v u , which is an ultimately periodic word. Since, the only 
loop I is to be taken an infinite number of times, we have, len(w) = len(Z) 
which is polynomial in size of the input, but len(-u) can be exponential. But, 
note that lab(p(0)p(l) ■ ■ ■ p(len(u))) £ p ■ l + where the number of repetition 
of I may be an exponential number of times. The algorithm computes the 
number of different possible sets of term maps (defined in Section EJ), that 
the nodes of I can have. At most, this can be polynomially many times due 
to the monotonocity of guards and arithmetical constraints. Next, for each 
such assignment i of term maps to the nodes of I, the algorithm calculates the 
number of iterations nk of I, for which the terms remain in their respective 
term map. Note that each of these rtU can be exponentially large. Now, the 
formula is symbolically verified over the ultimately periodic path where the 
nodes of the path schema are augmented with the term maps. 

Before defining the algorithm formally, we need to define some notions to 
be used in the algorithm. For a path segment p = Si5 2 ■ ■ ■ SienM, we define 
p[i,j] = SiSi + i---Sj for 1 < i < j < len(p). Also, for a loop segment I, 
we say a tuple of term maps (mi, rri2, • • • , mi en (z)) is final iff for every term 
t = 52 . a,jXj £ T and for all 1 < % < len(Z), 

• Ylj a j e ff ec t{l)[j] > implies rrij(t) is maximal in /. 

• Y^ij a j e ff ec t(l)\j] < implies mj(t) is minimal in /. 

where effect (I) is as defined in Section HI 

Since the unique run respecting P must contain p and copies of /, we 
can specify the term maps for w = p ■ I. Consider the function / init : 
{0, 1, 2, . . . , len(w)} —> I T for a given configuration c = (qo,vo), defined 
as: 

• /mit(O) = m iff for each term t = Y2j a j x j we have that, 
J2j a j-Vo[j) e m (t) and m h guard(w(Q)). 

• for every i £ [1, len(w)], as /mit(^) = m, iff, for each term t = a j x j ^ 
T, we have that, J2j o.j-(effect(w[l, + v o[j]) £ m.;(t) and m.j h 
guard(w(i)). 

• Otherwise, if the term maps do not satisfy the guards, then there does 
not exist any run and hence /; n it(0 is undefined. 
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Also, we consider the function curr : T — > Z which, in the algorithm, 
gives the value of the terms at specific positions of the run. The func- 



p = 5i5 2 ■ ■ ■ d\en( p ) with Si = (q i: u,, q i+1 ) e A for i e [1, len(p)] and a given 
tuple of term maps a = (mi, m 2 , • ■ ■ , m len ( p )), we define pxa = S'^ ■ ■ ■ S[ en ^ 
where 5- = ((g i; m*), g h Uj, m i+ i)). 

Given an initial configuration c, we calculate the term maps for each 
position of p and the first iteration of /, using / init . Subsequently, we calculate 
new tuples of term maps (mi, m 2 • • • mi en (;)) for / and the number of iterations 
nl of I for which the terms remain in their respective term map from the tuple. 
We store the tuple of term maps in an array A and the number of iterations 
corresponding to tuple i in nli. In case, at any position, we reach some term 
maps that does not satisfy some guard, the procedure is aborted as it means 
that there does not exist any run. Note that there are polynomially many 
entries in A but each of the nli can be exponential. We perform symbolic 
model checking over a path schema augmented with the calculated term 
maps. The augmented path schema is obtained by performing / x A[i] for 
each i. But the number of times / x A[i] is repeated, nli can be exponential. 
Thus, instead of taking I x A[i], nli times, we take it Min(nij, 2td(<p) + 5) 
times. By Theorem 13. 1[ we have that the two path schemas are equivalent 
in terms of satisfiability of <p. The polynomial-time algorithm is described in 
Algorithm [2j 

It now remains to prove that the algorithm completes in PTlME and is 
correct . 

Lemma 7.6. Algorithm^ terminates in time which is at most a polynomial 
in the size of the input. 

Proof We will verify that each step of the algorithm can be performed in 
polynomial time. 

• Building a resource and a set of intervals can be done by scanning the 
input once. 

• Since the updates of P is part of the input, we can compute /i n u for all 
positions in p ■ I in polynomial time. 

• Computation of curr depends on the previous value of curr and the 
coefficients appearing in the guards of P. Hence, it involves addition 
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Algorithm 2 The PTlME algorithm with inputs P = p ■ l u , c = (go, Vo), <p 
1: Build a resource R = (X,T, B) and a set of intervals / coherent with P 
and 0. 

2: Compute fi n it(i) for all i G [0,len(p./) — 1]. 

3: if for some i G [0,len(p • /) — 1], f- mi t(i) is undefined then abort 

4: For each term t = £V a j x j e ^> cwr(t) := ■ cij .(effect(p • l)[j] +Vo\j])- 

5: /i := 1; := (/ init (len(p)), / ini t(len(p) + 1) • • • / init (len(p.Z) - 1)) 
6: while A[h\ is not final do 

7: Compute, nl h = min{nl\i G [l,len(/)],t G T,val curr (l nl ■ l[l,i])(t) ^ 

A[h](i)(t)}. 
8: h:=h + l 

9: := (mi, m 2 • • • mi en (j)), such that at all positions i in I we have 

that val curr (l nlh ■ = m;. 

10: For every term t = a, • Xj G T, set cwrr(t) = curr(t) + 

^■^.(nZft.ejfrc* (/)[;']). 
11: if there is % G [l,len(Z)] such that -A[7i](i) Y- guard(l(i)) then abort 
12: end while 

13: For j e[l,h-l], T[j] := Min(nZj, 2td(</>) + 5) 

14: Check that proj((p x (/ init (0), . . . , / init (len(p) - 1)).(Z x A[l]) r W(Z x 

A[2]) T N . . . (I X - l]) T ^(l X hsymb <P 
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and multiplication of at most polynomial number of bits. Thus, this 
can be performed in polynomial time. 

• The maximum possible value for h is bounded by a polynomial given by 
Lemma l£T8l Indeed, the process described in the while loop is the same 
as the creation of unfolded path schema set Yp. The only difference 
being that there exists only one possible run, if any and hence Yp is a 
singleton set. 

• Calculation of each nlh requires computing val curr which again involves 
arithmetical operations on polynomially many bits. Thus, this requires 
polynomial time only. 

. Checking (p x (/ init (0), . . . , / init (len(p) - 1)).(Z x A[l]) T W(l x A[2]) T V\ . . . 
(I x A[h— l]) T ^ h ^(l x ^4[/i]) w , |= sym b 4> can be done in polynomial time 
for the following reasons. 

- By definition of T[h], size of (p x (/ init (0), . . . , / init (len(p) - 1)).(7 x 
A[l]fW{l x A[2]) T ® . . . (Z x A[h-l]) T ^(l x A[h]) w is polynomial 
in the size of the input. 

- By [22], (p X (/ wt (0), . . . ,/ init (len(p)-l)).(/x A[l]fW(Zx A[2]) T ® 
. . . (Zx A[h- l]) T[h ~ 1] {l x A[ft]) w ,0 Kymb 4> can be checked in time 
0(size((j)) 2 x\en(p-l T Wl T M . . . f^U)). Indeed, |= symb is analogous 
to the satisfaction relation for plain Past LTL. 

□ 

Lemma 7.7. P, c \= (f> iff Algorithm^ on inputs P, c, has an accepting run. 

Proof Let us first assume that P, c \= (p. We will show that there exists a 
vector of positive integers nL = (nlx,nl2 ■ ■ - nlh) for some h e N such that 
Algorithm [2] has an accepting run. Clearly, the transitions taken by a run p 
respecting P and satisfying (f> is of the form, pi 1 " 3 . This can be decomposed 
in the form p[ nl ^l nl ^ . . . / n ^/" ; depending on the portion of P traversed, such 
that for each consecutive copy of Z, the term maps associated with the nodes 
change. It is easy to see that this decomposition is same as the one calculated 
by the algorithm. Now, the elements of nL can be exponential. But due 
to Lemma 16.51 and Stuttering theorem (Theorem 13. ip . we know that, (p x 
(/init(O), . . . , /init(len(p) - 1)).(Z x A[1])**(Z x A[2})^ . . . (Z x A[h-l]) nl ^(l x 
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. . . (I x A[h - l]) T[h - 1] (l x A[h]) u ,0 hsymb <f>. Hence, the algorithm has an 
accepting run. 

Now, we suppose that the algorithm has an accepting run on inputs P, c 
and <p. We will prove that P, c \= (p. Since the algorithm has an accept- 
ing run, we assume the integers calculated by it are nii,nZ 2 , ■ ■ ■ ,nlh- Let 
w = pl nh l nh . ..l nlh l" and p = ((g ,mo),xo)((gi,m 1 ),x 1 )((g2,m 2 ),x 2 ) • •• G 
(Q' x Z n ) w be defined as follows: for every % > 0, qi = iri(source(w(i))) , 
xo = v and for every i > 1, we have Xi = Xi_i + update(w(i)). By 
the calculation of lj, 1 < j < n, in the algorithm, it is easy to check 
that (q , x )(g 1 , x 1 )(g 2 , x 2 ) • • • G (Q x Z n ) w is a run respecting P. Algo- 
rithm [2] guarantees that (p x (/ init (0), . . . , / init (len(p) - 1)).(Z x A[1]) T W(/ x 
A[2]) T I 2 1 . . . (/ x l]) T t fc - 1 l(/ x A[h]f, |= symb 0. And thus, by LemmaES] 

and Theorem 13. 1[ we have, (go,xo)(q , i,xi)(g 2 ,x 2 ) • • • , \= <fi. □ 

From the two last lemmas, we deduce the result concerning path schemas 
of counter systems with a single loop. 

Proposition 7.8. MC(PLTL[C],C7 3 <S(1)) is in PTlME. 



8. Conclusion 

In this paper, we have investigated the computational complexity of the 
model-checking problem for flat counter systems with formulae from an en- 
riched version of LTL (with past-time operators and arithmetical constraints 
on the counters). Our main result is the NP-completeness of the prob- 
lem MC(PLTL[C], CJ^S), significantly improving the complexity upper bound 
from [9j. This also improves the results about the effective semilinearity of 
the reachability relations for such flat counter systems from 0, [l3|; indeed, 
our logical dialects allow to specify whether a configuration is reachable. Fig- 
ure [9] presents our main results and compare them with the complexity of 
the reachability problem. Furthermore, our results extend the recent result 
on the NP-completeness of model-checking flat Kripke structures with LTL 



from [20] (see also 19]) by adding counters and past-time operators. As far 
as the proof technique is concerned, the NP upper bound is obtained as a 
combination of a general stuttering property for LTL with past-time opera- 
tors (a result extending what is done in [2l| with past-time operators) and 
the use of small integer solutions for quantifier-free Presburger formulae Q. 
This latter technique is nowadays widely used to obtain optimal complex- 
ity upper bounds for verification problems, see e.g. [18]. Herein, our main 
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Figure 9: Summary: computational complexity of the problems MC(L,C) 

originality rests on its intricate combination with a very general stuttering 
principle. There are several related problems which are not addressed in the 
paper. For instance, the extension of the model-checking problem to full 
CTL* is known to be decidable (qJ but the characterization of its exact com- 
plexity is open (note that we can also get decidability by taking advantage 
of our resolution of global model-checking by replacing successively innner- 
most linear-time formulae by QFP formulae). Similarly, the extension of the 
model-checking problem with affine counter systems having the finite monoid 
property in the sense of [l^], is also known to be decidable j9| but not its ex- 
act complexity. Another direction for extensions would be to consider richer 
update functions or guards and to analyze how much our combined proof 
technique would be robust in those cases, for instance by allowing transfer 
updates. 
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Appendix A. Proof of (Claim 3) 

Before the proof, let us recall what is (Claim 3). Let w = WiU M w 2 ,w' = 
wiu M 'w 2 G i, i! G N and N > 2 such that M, M' > 2N + 1 and (w, i) ^ N 
(w',i'). 

(Claim 3) (w, i + 1) (w', i' + 1). 

Proof The proof is similar to the proof for (Claim 2). Nevertheless, full 
proof is provided below for the sake of completeness. Without any loss of 
generality, we can assume that M > M'. Since N > N — 1, it is obvious that 
M « 2(JV _ 1} M'. 

• If i < \en(u>i) + (N — 1) • len(zz) [z is Zone Ajv], then i = i'. Hence 
either (i + 1 G Ajv_i, i' + l G A' iV _ 1 and i + 1 = i' + 1) or (z + 1 G Bjv-i, 
i' + le R'n-i and i + 1 = i' + 1) or (i + 1 e Cjv-i, i' + le C' Ar _ 1 and 
z — z' = 0). Hence, («;, i + 1) (w f , i' + 1). 

• If i > len(^i) + (M — (iV — 1)) • len(it) [z is in zone E^v] then i = 
i' + (M- M') ■ len(u) and i' > len(tui) + (M' - (iV - 1)) • len(zz) \i' is in 
zone E^y]. So, either + 1 is in zone Ejv-i and i' + 1 is in zone E^ v _ 1 ) 
or (z + 1 is in zone Dat_i and i' + 1 is in zone D^^). Since z + 1 = 
z' + l + (M-M / )-len(zz), we conclude that (w,i + l) (w',i' + l). 

• If len(iyi) + (iV-l)-len(u) < i < \en(wi) + N -len(u) [z is in Zone Bat] 
then i = i'. Hence, z' + l G Cjv-i, i' + l e and |(z + l)-(z' + l)| = 
mod len(zz). Hence, (w, i + ~jv-i W' + 

• If len(wi) + 7V-len(it) < i < len(iui) + (M — N) ■ len(zz) [z in Zone Cat], 
then len(wi) + N • len(zt) < i! < len(w 1 ) + (M 1 — N) ■ len(zz) [z' is in 
Zone C'^] and |i — i'| — mod len(zz). Consequently, i + 1 is in Zone 
Cjv-i, i' + 1 is in Zone C' Ar _ 1 and |(z + 1) — (z' + 1)| =0 mod len(w). 
This entails that (w, i + ~jv-i {w' : z' + l). 

• If len(iwi) + (M — N) ■ len(zz) < z < \en( Wl ) + (M - (N - 1)) • len(zz) 
[z in Zone D^v], then i' is in Zone and i = i' + (M — M') • len(-u). 
Consequently, either (i + 1 is in Zone Cjv-i, z' + 1 is in Zone C' N _ l and 
|(z + 1) — (z' + 1)| = mod len(tt)) or (i + 1 is in Zone D A r_ 1 , i' + 1 is 
in Zone D^ v _ 1 and z + l = z' + l + (M — M') ■ len(zz)). This also entails 
that (w, i + 1) ~ A r_ 1 (w', z' + l). 

□ 
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Appendix B. Proof of (Claim 5) 

Before the proof, let us recall what is (Claim 5). Let w = WiU M w 2 , w' = 
w l u M 'w 2 G i, i! G N and N > 2 such that M, M' > 2N+1 and (w, i) ^ N 
(w',i'). 

(Claim 5) for all j < i, there is f < i' such that (w,j) ~jv-i (w',f) and for 
all k' G [j' — 1, i'], there is k G [j — 1, i\ such that [w, k) ~ N _i (w', k'). 

Proof The proof is similar to the proof for (Claim 4) by looking backward 
instead of looking forward (still there are slight differences because past is 
finite). Nevertheless, full proof is provided below for the sake of completeness. 
We proceed by a case analysis on the positions i and j. Without any loss of 
generality, we can assume that M > M'. 

• If i < len(toi) + N • len(-u) [i is in Zone A or B] then j < len(wi) + 
iV • len(it) [j is in Zone A or B] and i' < len^x) + iV • len(n) \i' is in 
Zone A or B] and i = i' . We define j' = j. Then it is clear that f < i' 
and (w,j) & N (w',f). By (Claim 1), we get (w,j) (w',f). Let 
k' E [j' — 1, i'\ and let k = k', then we have that k £ [j — 1, i\ and also 
(w,k) m N (w',k')i hence by (Claim 1), (w,k) ~ A r_ 1 (w',k'). 

• If i > \en(w 1 ) + (M-N)-\en(u) [i is Zone D or E] then i! > \en(w 1 ) + 
(M' - N) ■ len(it) \i' is in Zone D or E] and i = %' + (M - M') ■ len(it) 
and we have the following possibilities for the position j < i: 

- If j > len(iui) + (M — N) ■ len(u) [j is in Zone D or E], then let 
j' = j — (M—M')-len(u). Consequently, we have (w,j) ~ N (w',f) 
and by (Claim 1) we get (w,j) ~ A r_ 1 (w',f). Let k! G [j 1 — 
and k = k! + (M — M') ■ len(it). Then we have that k G [j — 1, i\ 
and also (w,k) ^ N (w',k'). By (Claim 1), (w,k) ~ N ^i (w',k'}. 

- If len(-u;i)+A r -len(-u) < j < len(tui)+(M-./V)-len(w) [j is in Zone 
C], then let i = ( j - (len(tui) + • len(u))) mod len(u) (£ is the 
relative position of j in the word u it belongs to). Consequently 
< t < len(u). Let f = len(«; 1 ) + (M / -A^)den(«)-(len(«)-^) (/ 
is at the same position as j in the last word u of the Zone C). Then 
len(iui)+iV-len(u) < j' < \en(wi) + (M' -N)-\exi(u) [f is in Zone 
C] (because (M' > 2N + 1) and \ j-f \ = mod len(u) (they are 
at the same position in the word u). We deduce that (w,j) ~ N 
(w',f) and by (Claim 1) we get (w,j) ~ A r_ 1 (w',f). Then let 
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k! E [f - 1, i'] and let k = k' + (M - M') ■ len(w). Then we have 
that k G [j — 1, i\. Furthermore, if k' > len(wi) + (M' — N) ■ len(u) 
[k' is in Zone D or E] then k > len(wi) + (M — N) ■ len(w) 
[k is in Zone D or E] and we obtain (w, k) m N (w', k') and 
by (Claim 1), (w, k) ~ JV _ 1 (w',k'). Moreover, if k! < len(wi) + 
(M' — N) ■ len(-u) then necessarily len(wi) + N ■ len(-u) < k' \k' 
is in Zone C] (because j' < k') and \k — k'\ = mod len(w) 
(because k = k' + (M — M') ■ len(ti)). Whence, k is in Zone C and 
(w,k) ~jv (w',k'). By (Claim 1), we obtain (w,k) ~jv„! (w',k'). 

— If j < len(wi) + • len(-u) [j is in Zone A or B], let j' = j. We 
have then f < len(wi) + iV • len(u) [f is in Zone A or B]. We 
deduce that (w,j) ~ N (w',f) and by (Claim 1) we get (w,j) ~jv-i 
(w',f). Then let k' e If k' < len(wi)+AMen(u) \k' is in 
Zone A], for k = k', we obtain (w, k) ~ N («/, k') and by (Claim 
1), (w, k) ^ N _ t (w 1 , k'). If k' > len(wi) + (M' - AT) • len( W ) \k' is 
in Zone D or E], we choose k = k! + (M — M') • len(-u) and here 
also we deduce (w,k) ~ N (w',k') and by (Claim 1), (w,k) ~jv-i 
(w', k'). If + N ■ len(w) < k' < \en( Wl ) + (M' - N) ■ len(w) \k' 
is in Zone C], let t — [k! — (len(w 1 ) + TV • len(-u))) mod len(w) 
(£ is the relative position of k! in the word u it belongs to) and 
let k = len(wx) + TV • len(-u) + £ (k is at the same position of k! in 
the first word of the zone C). Then we have w\ + iV • len(w) < k < 
len(u;i) + (M — N) ■ len(w) [k is in the Zone C] and \k-k'\ = 
mod len(-u) which allows to deduce that (w, k) k- n (w', k') and by 
(Claim 1), (w,k) ~ Ar _ 1 (w f ,k f ). 

• If len(wi) + N ■ len(w) < i < len(wi) + (M - N) ■ len(w) [i in Zone C] 
then \en(wi) + N ■ len(-u) < i' < len(tt;i) + (M' — N) ■ len(w) \i' in Zone 
C] and \i — i'\ — mod len('u). Let £ — (i — (\en(wi) + N ■ len(w))) 
mod len(-u) (the relation position of i in the word u it belongs to). We 
have the following possibilities for the position j < i: 

— If i — j < £ + len(w) (j is in the same word u as i or in the 
previous word u) then j > len(wi) + (N — 1) • len(-u) [j is in 
Zone B or C]. We define f = i' — [i — j) and we have that 
len(wi) + (N - 1) • len(w) < f < len(wi) + (M' - N) ■ len(w) [f is 
in Zone B or C] and since \i — i'\ — mod len(-u), we deduce 
\j—j'\ = mod len(u). From this, we obtain (w, j) ^ N _ x (w',j'). 
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Let k' G \j' and k — i — {i' — k'). We have then that k e [j - 

and len(wi) + (AT-l) •len(u) < k! < len(iwi) + (Af'-iV)-len(u) 
is in Zone B or C] and len(wi) + (N — 1) • len(-u) < k < 
len(toi) + (M — N) ■ len(-u) [k is in Zone B or C] and since 
\i — i'\ — mod len(w), we also have \k — k'\ — mod len(w). 
Consequently (k;, fc) ~ A r_ 1 (w',k'). 

— lii—j> £ + \en(u) (j is neither in the same word u as % nor in the 
previous word u) and j < len(^i) + A" • len(w) [j is in zone A or 
B]. Let f = j. So, f < len(wi) + N-\en(u) and (w,j) ~ N (w',f). 
By using (Claim 1) we get (w,j) ~ N _i (w',f). Then let k! G 

If k' < len(iui) + JV-len(u) [k' is in Zone A or B],then 
let k = k'; we have in this case that k < len(t«i) + • len(w) and 
this allows us to deduce that (w,k) ~jv-i (w',k r ). Now assume 
k' > \en(w!) + N ■ len(u) [k' is in Zone C] and i' - k' < £ (k' 
and i! are in the same word u), then let k — % — {%' — k'). In this 
case we have k > \en(wi) + • len(w) [k is in Zone C] and since 
\i — i'\ — mod len(w), we also have \k — k'\ — mod len(u), 
hence (w, k) ~jv_:l ( w 'i k')- Now assume k' > \en(wi) + • len(tt) 
\k' is in Zone C] and i' — k' > £ {k 1 and i! are not in the same word 
u). We denote by £' = (k' — (len(tt; 1 ) + A^ • len(-u))) mod len(u) 
the relation position of k' in u and let k = i — £— (len(-u) —£') (k is 
at the same position as k! of k in the word u preceding the word 
u i belongs to). Then k G [j — (because len(-u) — £' < len(ti) 
and i — j> £ + len(u)) and k > len(wi) + (A^ — 1) -len(-u) (because 
i + (len(u) - £) > len(iui) + (M - N) ■ len(u) and len(u) - £ < 
len(u)) and \k — k'\ =0 mod len(-u) (k and k! are both pointing 
on the £'-th position in word u). This allows us to deduce that 
(w,k) ^ N _ x (w',k'). 

— If j — i > £ + len(w) (j is neither in the same word u as j nor 
in the previous word u) and j > len(toi) + A^ • len(-u) [j is in 
zone C]. Then let £' = (j — (len(toi) + A^ • len(-u))) mod len(tt) 
the relative position of j G u. We choose j' — i' — £ — (len(-u) — 
£') (j' and j are on the same position of u but in the word u 
precedent in the one to which i belongs to). We have then that 
j' > len(wi) + (N — 1) • len(w) [j' is zone B or C] (because 
i'—£ > \en(wi)+N)-\en(u) andlen(-u)— £' < len(u)) and \j— j'\ = 
mod len('u) (j and j' are both pointing on the £'-th position in 
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wordw), hence (w,j) ^jy^ (w',f). Let k' E lii'—k' < £ 

(k' and i' are in the same word u), then let k — i — (i' — k'). In this 
case we have k > len(iui) + N • len(u) [k is in Zone C] and since 
\i — i'\ — mod len(w), we also have \k — k'\ — mod len(w), 
hence (w, k) ~ N ^ X (w', k'}. If i' — k' > £ (k' and i' are not in the 
same word u), then k'—f < len(u)—£' and let k = j+k'—f. In this 
case we have len(u>i) + • len(w) < k < len(wi) + (M — N) ■ len(u) 
[A; is in Zone C] and since \j — j'\ — mod len(-u), we also have 
| A; — k'\ = mod len(w), whence (w, k) ~jv_! (w 1 , k'). 

□ 
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